11.12.2. Generate a SSL Encryption Key and Certificate
- You need the
keytoolutility, which is provided by any Java Development Kit implementation. OpenJDK on Red Hat Enterprise Linux installs this command to
- Understand the syntax and parameters of the
keytoolcommand. This procedure uses extremely generic instructions, because further discussion of the specifics of SSL certificates or the
keytoolcommand are out of scope for this documentation.
Procedure 11.40. Generate a SSL Encryption Key and Certificate
Generate a keystore with public and private keys.Run the following command to generate a keystore named
server.keystorewith the alias
jbossin your current directory.
keytool -genkeypair -alias jboss -keyalg RSA -keystore server.keystore -storepass mykeystorepass --dname "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,S=NC,C=US"The following table describes the parameters used in the keytool command:
keytoolcommand to generate a key pair containing a public and private key.
The alias for the keystore. This value is arbitrary, but the alias
jbossis the default used by the JBoss Web server.
The key pair generation algorithm. In this case it is
The name and location of the keystore file. The default location is the current directory. The name you choose is arbitrary. In this case, the file will be named
This password is used to authenticate to the keystore so that the key can be read. The password must be at least 6 characters long and must be provided when the keystore is accessed. In this case, we used
mykeystorepass. If you omit this parameter, you will be prompted to enter it when you execute the command.
-keypassThis is the password for the actual key.
NoteDue to an implementation limitation this must be the same as the store password.
A quoted string describing the distinguished name for the key, for example: "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,C=US". This string is a concatenation of the following components:
When you execute the above command, you are prompted for the following information:
CN- The common name or host name. If the hostname is "jsmith.mycompany.com", the
OU- The organizational unit, for example "Engineering"
O- The organization name, for example "mycompany.com".
L- The locality, for example "Raleigh" or "London"
S- The state or province, for example "NC". This parameter is optional.
C- The 2 letter country code, for example "US" or "UK",
When the command completes, the file
- If you did not use the
-storepassparameter on the command line, you are asked to enter the keystore password. Re-enter the new password at the next prompt.
- If you did not use the
-keypassparameter on the command line, you are asked to enter the key password. Press Enter to set this to the same value as the keystore password.
server.keystorenow contains the single key with the alias
Verify the key.Verify that the key works properly by using the following command.
keytool -list -keystore server.keystoreYou are prompted for the keystore password. The contents of the keystore are displayed (in this case, a single key called
jboss). Notice the type of the
jbosskey, which is
PrivateKeyEntry. This indicates that the keystore contains both a public and private entry for this key.
Generate a certificate signing request.Run the following command to generate a certificate signing request using the public key from the keystore you created in step 1.
keytool -certreq -keyalg RSA -alias jboss -keystore server.keystore -file certreq.csrYou are prompted for the password in order to authenticate to the keystore. The
keytoolcommand then creates a new certificate signing request called
certreq.csrin the current working directory.
Test the newly generated certificate signing request.Test the contents of the certificate by using the following command.
openssl req -in certreq.csr -noout -textThe certificate details are shown.
Optional: Submit your certificate signing request to a Certificate Authority (CA).A Certificate Authority (CA) can authenticate your certificate so that it is considered trustworthy by third-party clients. The CA supplies you with a signed certificate, and optionally with one or more intermediate certificates.
Optional: Export a self-signed certificate from the keystore.If you only need it for testing or internal purposes, you can use a self-signed certificate. You can export one from the keystore you created in step 1 as follows:
keytool -export -alias jboss -keystore server.keystore -file server.crtYou are prompted for the password in order to authenticate to the keystore. A self-signed certificate, named
server.crt, is created in the current working directory.
Import the signed certificate, along with any intermediate certificates.Import each certificate, in the order that you are instructed by the CA. For each certificate to import, replace
server.crtwith the actual file name. If your certificates are not provided as separate files, create a separate file for each certificate, and paste its contents into the file.
NoteYour signed certificate and certificate keys are valuable assets. Be cautious with how you transport them between servers.
keytool -import -keystore server.keystore -alias intermediateCA -file intermediate.ca
keytool -importcert -alias jboss -keystore server.keystore -file server.crt
Test that your certificates imported successfully.Run the following command, and enter the keystore password when prompted. The contents of your keystore are displayed, and the certificates are part of the list.
keytool -list -keystore server.keystore
Your signed certificate is now included in your keystore and is ready to be used to encrypt SSL connections, including HTTPS web server communications.