15.2. Generate encryption keys and certificate

15.2.1. Generate a self-signed certificate with keytool

15.2.1.1. Generate a key pair

The keytool command, part of the JDK, is used to generate a new key pair. Keytool can either add the new key pair to an existing key store, or create a new key store at the same time as the key pair.
This key pair will be used to negotiate SSL encryption between the server and remote clients. The following procedure generates a key pair and stores it in a key store called localhost.keystore . You will need to make this key store available to the EJB3 invoker on the server. The key pair in our example will be saved in the key store under the alias 'ejb-ssl'. We will need this key alias, and the key pair password you supply (if any), when configuring the EJB3 Remoting connector in Create a secure remoting connector for RMI .

Procedure 15.1. Generate a new key pair and add it to the key store "localhost.keystore" in the conf directory.

This procedure generates a new key pair for SSL encryption.
  • The following command will create a key pair for use with SSL encryption:
    keytool -genkey -alias ejb-ssl -keystore localhost.keystore -storepass KEYSTORE_PASSWORD
      -keypass EJB-SSL_KEYPAIR_PASSWORD
      -dname "CN=SERVER_NAME,OU=QE,O=example.com,L=Brno,C=CZ"
    Result:

    A key pair will be added to the key store localhost.keystore under the alias ejb-ssl .

    The parameters for this command are explained in keytool parameters

keytool parameters

alias
An alphanumeric token used to identify the key pair within the key store. A key store can contain multiple keys. The alias provides a means to uniquely identify a key pair within a key store. The alias for a key pair must by unique within a key store.
keystore
The key store that will be used to store the key pair. This can be a relative or absolute file path.
storepass
The password for key store. If the key store already exists, this must be the existing password for the key store. If the key store specified does not already exist, it will be created and this password will be the new password. This password is needed to access the key store to retrieve or store keys and certificates.
keypass
The password for the new key pair. This password must be supplied to use the key pair in the future.
dname
The identifying details of the certificate.
CN
Common Name: the name of the server. This must match the server name as returned to clients in a JNDI lookup. If a client attempts to make an SSL connection to the server using one name from JNDI, and receives a certificate with a different name, the connection will fail.
OU
Organizational Unit: the name of the organizational unit that is responsible for the server.
O
Organization: The name of the organization, sometimes expressed as a URL.
L
Location: the location of the server.
C
Country: two letter country code

Note

For best security practice, store key store files on a secure file system, readable only by the owner of the JBoss Application Server process.
Note that if no key store is specified on the command line, keytool adds the key pair to a new key store called keystore in the current user's home directory. This key store file is a hidden file.

15.2.1.2. Export a self-signed certificate

Once a key pair has been generated for the server to use, a certificate must be created. Procedure 15.2, “Export a certificate” details the steps to export the ejb-ssl key from the key store named localhost.keystore .

Procedure 15.2. Export a certificate

This procedure exports a certificate from a key store into a file.
  1. Issue the following command:
    keytool -export -alias ejb-ssl -file mycert.cer -keystore localhost.keystore
  2. Enter the key store password
    Result:

    A certificate is exported to the file mycert.cer .