Usually one wants to protect a web site using a SSL certificate. One of the most popular certificate issuing authority is Verisign. This post provides a step-by-step guide towards Verisign certificate creation.
The target deployment server is a Tomcat Web server. Here’s how we proceed with Verisign certificate creation.
To generate a keystore use the -genkey available with keytool tool available in the JDK.
keytool -genkey -alias tomcat1 -keyalg RSA -keystore test.keystore
We have used the alias tomcat1 for creating the keystore. During the keystore you will be prompted to enter a suitable keystore password, your first name, last name, name of your organizational unit, name of your organization, name of your city, your state, two letter country code. On completion you will be prompted enquiring if a sample string like the one below is correct:
CN=TEST TESTER, OU=INS, O=IEEE, L=MUMBAI, ST=MAHARAHSTRA, C=IN
Additionally you can custom add a password for your key. If not, the keystore password will be your key password. You can verify key creation by using the following command.
keytool -list -v -keystore test.keystore
Now that keystore has been created. Let’s move on to Certificate Signing Request creation. Use the following command:
keytool -certreq -keyalg RSA -alias tomcat1 -file certreq.scr -keystore test.keystore
The contents of the certreq.csr are sent to Verisign for certificate enrollment. The contents are typically in the following format:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIB1zCCAUACAQAwgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcg ........ ........ nELWwLTxds8FSK6eqsU1NENMFg== -----END NEW CERTIFICATE REQUEST-----
Do not use any other editor besides vi or notepad while copying the contents of the request file.
Import the intermediate certificate issued by Verisign into the test keystore. The import command is as follows:
keytool -import -alias intermediateCA - keytore test.keystore -trustcacerts -file intermediateCA.cer
The alias name of the intermediate CA certificate need not match the CSR alias.
On receiving the certificate from Verisign, copy the same into a text file, say res.csr. Use the following command to import the certificate response.
keytool -import -alias tomcat1 -keystore test.keystore -trustcacerts -file res.csr
If you have followed the instructions properly, you will see the following message:
Certificate reply was installed in keystore
Use the keytool -list command to verify the contents of the keystore.