Verisign SSL Certificate Creation

Usually one wants to protect a web site using a SSL certificate. One of the most popular certificate issuing authority is Verisign. This post provides a step-by-step guide towards Verisign certificate creation.

The target deployment server is a Tomcat Web server. Here’s how we proceed with Verisign certificate creation.

Create Keystore

To generate a keystore use the -genkey available with keytool tool available in the JDK.

keytool -genkey -alias tomcat1 -keyalg RSA -keystore test.keystore

We have used the alias tomcat1 for creating the keystore. During the keystore you will be prompted to enter a suitable keystore password, your first name, last name, name of your organizational unit, name of your organization, name of your city, your state, two letter country code. On completion you will be prompted enquiring if a sample string like the one below is correct:

CN=TEST TESTER, OU=INS, O=IEEE, L=MUMBAI, ST=MAHARAHSTRA, C=IN

Additionally you can custom add a password for your key. If not, the keystore password will be your key password. You can verify key creation by using the following command.

keytool -list -v -keystore test.keystore

Now that keystore has been created. Let’s move on to Certificate Signing Request creation. Use the following command:

keytool -certreq -keyalg RSA -alias tomcat1 -file certreq.scr
-keystore test.keystore

The contents of the certreq.csr are sent to Verisign for certificate enrollment. The contents are typically in the following format:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIB1zCCAUACAQAwgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcg
........
........
nELWwLTxds8FSK6eqsU1NENMFg==
-----END NEW CERTIFICATE REQUEST-----

Do not use any other editor besides vi or notepad while copying the contents of the request file.

Import the intermediate certificate issued by Verisign into the test keystore. The import command is as follows:

keytool -import -alias intermediateCA - keytore test.keystore -trustcacerts 
-file intermediateCA.cer

The alias name of the intermediate CA certificate need not match the CSR alias.

On receiving the certificate from Verisign, copy the same into a text file, say res.csr. Use the following command to import the certificate response.

keytool -import -alias tomcat1 -keystore test.keystore
-trustcacerts -file res.csr

If you have followed the instructions properly, you will see the following message:

Certificate reply was installed in keystore

Use the keytool -list command to verify the contents of the keystore.


					
Advertisements

One thought on “Verisign SSL Certificate Creation

  1. Hi,
    I have one doubt that can we generate private key from intermediateCA.cer.If it is how.
    Can you provide me any example of code in Java.

    RESPONSE:
    I am not sure if intermediateCA.cer can be used to generate your own private key. This certificate is an intermediate cert to bridge the Certificate Signing Request with Verisign provided Certificate response.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s