Generate Certificate Requests by Using a Utility
You can also generate a certificate by using any utility or tool of your choice. The keytool utility (which is available with JDK) has been used for the following operations:
aa813test
You can also generate a certificate by using any utility or tool of your choice. The keytool utility (which is available with JDK) has been used for the following operations:
- Generate the keystore.The keytool utility stores the keys and certificates in a file termed akeystore.This file is a repository of certificates that identify a client or a server. Typically, a keystore is specific to one client or one server. The default keystore implementation implements the keystore as a file. The keystore protects private keys by using a password. The keystores are created in the directory from which you run the keytool utility.Use the following command to generate the keystore:$%JAVA_HOME%/\bin/\keytool -genkey -keyalg RSA -alias <server/or/client> -keystore <keystore_name>.jks -storetype JKS -storepass <password> -keysize 1024 -validity <validity_period_in_days>
- Generate the Certificate Signing Request (CSR).A CSR is encrypted identification text (see the first table in Obtaining Certificates Directly Through a Certificate Authority (CA)), and must be generated on the system where the certificate is used. A private key is created simultaneously when you create the CSR.Use the following command to generate the CSR:$%JAVA_HOME%/\bin/\keytool -certreq -v -alias <server/or/client> -keystore <keystore_name>.jks -storepass <password> -file <server/or/client>certreq.csr
- Generate the certificate by submitting the CSR generated in the preceding step to a CA.
- Access the link to the CA of your choice.For example, if you are usingMSCA, then the link is similar to:http://<IP_Address_of_the_CA>/certsrv/
- Navigate to the link to create and submit the certificate request.If you are usingMSCA, then underSelect a tasksection, click theRequest a certificateoption, thenadvanced certificate requestoption, and then theSubmit a certificate request by using a base-64-encoded CMC or PKCS #10 fileoption (or if you are renewing the certificate, then submit a renewal request by using a base-64-encoded PKCS #7 file). Finally, copy and paste the contents of <server/or/client>clientcertreq.csr in theBase-64-encoded certificate requestfield and clickSubmit.
- Download the following files in the Base-64-encoded format:
- The Signed certificate as clientcert.cer
- The Complete certficate chain as clientcertchain.p7b
- The CA certficate as clientcacert.cer
- Import the certificate chain in to keystore.Use the following command to do so:$%JAVA_HOME%/\bin/\keytool -import -keystore <server/or/client>keystore.jks -storepass <password> -file <server/or/client>certchain.p7b -alias <server/or/client>
- Convert the certificates or keystore to the required formats:
- From DER Format
- To convert DER format to PEM, use the following command:
openssl x509 -inform der -in <server/or/client>cert.cer -out <server/or/client>cert.pemopenssl pkcs12 -export -out<server/or/client>cert.pfx -inkey privateKey.key -in<server/or/client>cert.cer -certfile<server/or/client>cacert.cer- To convert DER format to PKCS#12, first convert DER to PEM using the preceding command. Then convert PEM to PKCS#12 use the following command:
- From P7B Format
- To convert P7B format to PEM, use the following command:
openssl pkcs7 -print_certs -in <server/or/client>cert.p7b -out <server/or/client>cert.ceropenssl pkcs12 -export -in <server/or/client>cert.cer -inkey privateKey.key -out <server/or/client>cert.pfx -certfile <server/or/client>cacert.cer- To convert P7B format to PKCS#12, first convert P7B to PEM using the preceding command. Then convert PEM to PKCS#12 use the following command: