13.2.4. Generate a SSL Encryption Key and Certificate

To use a SSL-encrypted HTTP connection (HTTPS), as well as other types of SSL-encrypted communication, you need a signed encryption certificate. You can purchase a certificate from a Certificate Authority (CA), or you can use a self-signed certificate. Self-signed certificates are not considered trustworthy by many third parties, but are appropriate for internal testing purposes.
This procedure enables you to create a self-signed certificate using utilities which are available on Red Hat Enterprise Linux.

Prerequisites

  • You need the keytool utility, which is provided by any Java Development Kit implementation. OpenJDK on Red Hat Enterprise Linux installs this command to /usr/bin/keytool.
  • Understand the syntax and parameters of the keytool command. This procedure uses extremely generic instructions, because further discussion of the specifics of SSL certificates or the keytool command are out of scope for this documentation.

Procedure 13.2. Task

  1. Generate a keystore with public and private keys.

    Run the following command to generate a keystore named server.keystore with the alias jboss in your current directory.
    keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore -storepass mykeystorepass --dname "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,S=NC,C=US"
    The following table describes the parameters used in the keytool command:
    Parameter Description
    -genkey The keytool command to generate a key pair containing a public and private key.
    -alias The alias for the keystore. This value is arbitrary, but the alias jboss is the default used by the JBoss Web server.
    -keyalg The key pair generation algorithm. In this case it is RSA.
    -keystore The name and location of the keystore file. The default location is the current directory. The name you choose is arbitrary. In this case, the file will be named server.keystore.
    -storepass This password is used to authenticate to the keystore so that the key can be read. The password must be at least 6 characters long and must be provided when the keystore is accessed. In this case, we used mykeystorepass. If you omit this parameter, you will be prompted to enter it when you execute the command.
    -keypass
    This is the password for the actual key.

    Note

    Due to an implementation limitation this must be the same as the store password.
    --dname A quoted string describing the distinguished name for the key, for example: "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,C=US". This string is a concatenation of the following components:
    • CN - The common name or host name. If the hostname is "jsmith.mycompany.com", the CN is "jsmith".
    • OU - The organizational unit, for example "Engineering"
    • O - The organization name, for example "mycompany.com".
    • L - The locality, for example "Raleigh" or "London"
    • S - The state or province, for example "NC". This parameter is optional.
    • C - The 2 letter country code, for example "US" or "UK",
    When you execute the above command, you are prompted for the following information:
    • If you did not use the -storepass parameter on the command line, you are asked to enter the keystore password. Re-enter the new password at the next prompt.
    • If you did not use the -keypass parameter on the command line, you are asked to enter the key password. Press Enter to set this to the same value as the keystore password.
    When the command completes, the file server.keystore now contains the single key with the alias jboss.
  2. Verify the key.

    Verify that the key works propertly by using the following command.
    keytool -list -keystore server.keystore
    You are prompted for the keystore password. The contents of the keystore are displayed (in this case, a single key called jboss). Notice the type of the jboss key, which is keyEntry. This indicates that the keystore contains both a public and private entry for this key.
  3. Generate a certificate signing request.

    Run the following command to generate a certificate signing request using the public key from the keystore you created in step 1.
    keytool -certreq -keyalg RSA -alias jboss -keystore server.keystore -file certreq.csr
    You are prompted for the password in order to authenticate to the keystore. The keytool command then creates a new certificate signing request called certreq.csr in the current working directory.
  4. Test the newly generated certificate.

    Test the contents of the certificate by using the following command.
    openssl req -in certreq.csr -noout -text
    The certificate details are shown.
  5. Optional: Submit your certificate to a Certificate Authority (CA).

    A Certificate Authority (CA) can authenticate your certificate so that it is considered trustworthy by third-party clients. The CA supplies you with a signed certificate, and optionally with one or more intermediate certificates.
  6. Optional: Export a self-signed certificate from the keystore.

    If you only need it for testing or internal purposes, you can use a self-signed certificate. You can export one from the keystore you created in step 1 as follows:
    keytool -export -alias jboss -keystore server.keystore -file server.crt
    You are prompted for the password in order to authenticate to the keystore. A self-signed certificate, named server.crt, is created in the current working directory.
  7. Import the signed certificate, along with any intermediate certificates.

    Import each certificate, in the order that you are instructed by the CA. For each certificate to import, replace intermediate.ca or server.crt with the actual file name. If your certificates are not provided as separate files, create a separate file for each certificate, and paste its contents into the file.

    Note

    Your signed certificate and certificate keys are valuable assets. Be cautious with how you transport them between servers.
    keytool -import -keystore server.keystore -alias intermediateCA -file intermediate.ca
    keytool -import -alias jboss -keystore server.keystore -file server.crt
  8. Test that your certificates imported successfully.

    Run the following command, and enter the keystore password when prompted. The contents of your keystore are displayed, and the certificates are part of the list.
    keytool -list -keystore server.keystore
Result

Your signed certificate is now included in your keystore and is ready to be used to encrypt SSL connections, including HTTPS web server communications.