Filter
Top Products
Chapter 4 Section 4.2
Operating SSL KeyStores and TrustStores
HTTPS eWay Adapter User’s Guide 31 Sun Microsystems, Inc.
This command generates a certificate signing request which can be provided to a CA
for a certificate request. The file client.csr contains the CSR in PEM format.
Some CA (one trusted by the Web server to which the eWay is connecting) must sign
the CSR. The CA generates a certificate for the corresponding CSR and signs the
certificate with its private key. For more information, visit the following web sites:
http://www.thawte.com
or
http://www.verisign.com
If the certificate is chained with the CA’s certificate, perform step 1; otherwise, perform
step 2 in the following list:
1 The following command assumes the client certificate is in the file client.cer and the
CA’s certificate is in the file CARoot.cer:
keytool -import -keystore clientstore -file client.cer -alias
client
This command imports the certificate (which can include more than one CA in
addition to the Client’s certificate).
Also use the following command to import the CA’s certificate into the KeyStore for
chaining with the client’s certificate:
keytool -import -keystore clientkeystore -file CARootcer -alias
theCARoot
2 The following command imports the client’s certificate signed by the CA whose
certificate was imported in the preceding step:
keytool -import -keystore clientkeystore -file client.cer -alias
client
The generated file clientkeystore contains the client’s private key and the associated
certificate chain used for client authentication and signing. The KeyStore and/or
clientkeystore, can then be used as the eWay’s KeyStore.
See the “KeyStores” on page 29 for more information.
Creating a KeyStore in PKCS12 Format
This section explains how to create a PKCS12 KeyStore to work with JSSE. In a real
working environment, a customer could already have an existing private key and
certificate (signed by a known CA). In this case, JKS format can not be used, because it
does not allow the user to import/export the private key through keytool. It is
necessary to generate a PKCS12 database consisting of the private key and its
certificate.
The generated PKCS12 database can then be used as the eWay’s KeyStore. The keytool
utility is currently lacking the ability to write to a PKCS12 database. However, it can
read from a PKCS12 database.
Note: There are additional third-party tools available for generating PKCS12 certificates,
if you want to use a different tool.