Generate Certificate Requests by Using a Utility

You can also generate a certificate by using any utility or tool of your choice. The keytool utility (which is available with JDK) has been used for the following operations:
aa821test
You can also generate a certificate by using any utility or tool of your choice. The keytool utility (which is available with JDK) has been used for the following operations:
  1. Generate the keystore.
    The keytool utility stores the keys and certificates in a file termed a
    keystore. 
    This file is a repository of certificates that identify a client or a server. Typically, a keystore is specific to one client or one server. The default keystore implementation implements the keystore as a file. The keystore protects private keys by using a password. The keystores are created in the directory from which you run the keytool utility.
    Use the following command to generate the keystore:
    $%JAVA_HOME%/\bin/\keytool -genkey -keyalg RSA -alias <
    server/or/client
    > -keystore <
    keystore_name
    >.jks -storetype JKS -storepass <
    password
    > -keysize 1024 -validity <
    validity_period_in_days
    >
  2. Generate the Certificate Signing Request (CSR).
    A CSR is encrypted identification text (see the first table in Obtaining Certificates Directly Through a Certificate Authority (CA)), and must be generated on the system where the certificate is used. A private key is created simultaneously when you create the CSR.
    Use the following command to generate the CSR:
    $%JAVA_HOME%/\bin/\keytool -certreq -v -alias <
    server/or/client
    > -keystore <
    keystore_name
    >.jks -storepass <
    password
    > -file <
    server/or/client
    >certreq.csr
  3. Generate the certificate by submitting the CSR generated in the preceding step to a CA.
    1. Access the link to the CA of your choice.
      For example, if you are using
      MSCA
      , then the link is similar to:
      http://<IP_Address_of_the_CA>/certsrv/
    2. Navigate to the link to create and submit the certificate request.
      If you are using
      MSCA
      , then under
      Select a task
      section, click the
      Request a certificate
      option, then
      advanced certificate request
      option, and then the
      Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file
      option (or if you are renewing the certificate, then submit a renewal request by using a base-64-encoded PKCS #7 file). Finally, copy and paste the contents of <
      server/or/client
      >clientcertreq.csr in the
      Base-64-encoded certificate request
      field and click
      Submit
      .
    3. Download the following files in the Base-64-encoded format:
      • The Signed certificate as clientcert.cer
      • The Complete certficate chain as clientcertchain.p7b
      • The CA certficate as clientcacert.cer
  4. Import the certificate chain in to keystore.
    Use the following command to do so:
    $%JAVA_HOME%/\bin/\keytool -import -keystore <
    server/or/client
    >keystore.jks -storepass <
    password
    > -file <
    server/or/client
    >certchain.p7b -alias <
    server/or/client
    >
  5. Convert the certificates or keystore to the required formats:
    • From DER Format
      • To convert DER format to PEM, use the following command:
      openssl x509 -inform der -in <server/or/client>cert.cer -out <server/or/client>cert.pem
      openssl pkcs12 -export -out 
      <server/or/client>
      cert.pfx -inkey privateKey.key -in 
      <server/or/client>
      cert.cer -certfile 
      <server/or/client>
      cacert.cer
      • To convert DER format to PKCS#12, first convert DER to PEM using the preceding command. Then convert PEM to PKCS#12 use the following command:
    • From P7B Format
      • To convert P7B format to PEM, use the following command:
      openssl pkcs7 -print_certs -in <server/or/client>cert.p7b -out <server/or/client>cert.cer
      openssl pkcs12 -export -in <server/or/client>cert.cer -inkey privateKey.key -out <server/or/client>cert.pfx -certfile <server/or/client>cacert.cer
      • To convert P7B format to PKCS#12, first convert P7B to PEM using the preceding command. Then convert PEM to PKCS#12 use the following command: