Steps to create a csr ( certificate signing request ) using keytool and get it signed from an external CA ( Certificate Authority - Thawte )
By Puneeth on Dec 18, 2013
Step 1 :
Create a certficate pair using keytool genkeypair command
Command : keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password
Step 2 :
Now create a certificate signing request ( csr ) which has to be passed on to your external / third party CA ( Certificate Authority ).
Command : keytool -certreq -alias mykey -file certreq.pem -keystore identity.jks
- The above command Generates a Certificate Signing Request (CSR), using the PKCS#10 format.
- A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
- sigalg specifies the algorithm that should be used to sign the self-signed certificate; this algorithm must be compatible with keyalg.
- The CSR is stored in the file certreq.pem. If no file is given, the CSR is output to stdout.
- Researchers have successfully broken the MD5 algorithm and forged web server credentials. MD5 is no longer considered secure. US-CERT advisory 836068 (issued Dec 31, 2008) makes it plain: ‘Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use. So its better to use sigalg as SHA1withRSA
Step 3 :
Go to your third party CA website Eg : http://www.thawte.com/
I am using a Free SSL Trial here for testing.
Step 4 :
Check your inbox for an email from Thawte.
This email will contain your signed certificate , intermediate certificate and root certificate.
Copy the contents of each certificate from email and save it as a pem file as shown below :
Step 5 :
Now we need to import these certificates into identity.jks keystore
- Import the intermediate certificate first --> then the root certificate --> and then the signedcert.
Command : keytool -importcert -alias inter -file intermediate.pem -keystore identity.jks -storepass password
Command : keytool -importcert -alias root -file root.pem -keystore identity.jks -storepass password
Command : keytool -importcert -alias mykey -file signedcert.pem -keystore identity.jks -storepass password
- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.
- After importing all three certificates you should see : " Certificate reply was installed in keystore " message.
Step 6 :
Now list the keystore and check if all the certificates are imported successfully.
Command : keytool -list -keystore identity.jks -storepass password
To get a detailed out put :
Command : keytool -list -v -keystore identity.jks -storepass password
Check for the following in the detailed output :
Alias name: mykey
Entry type: PrivateKeyEntry
Certificate chain length: 3
Step 7 :
Run the following command to check if the certificate chain is valid.
Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore>
Command : java utils.ValidateCertChain -jks mykey identity.jks
Step 8 :
Lets create a trust keystore now.
Command : keytool -import -file intermediate.pem -alias inter -keystore trust.jks -storepass password
Command : keytool -import -file root.pem -alias root -keystore trust.jks -storepass password
Now that we have successfully created a third party CA signed Identity keystore and a Trust keystore, we can configure WLS to use it by configuring Custom Identity and Custom Trust.