Prev | Next | J2EETM Developer's Guide
Security |
1. Generate a key pair and a self-signed certificate.
Thekeytool
utility enables you to create the certificate. Thekeytool
that ships with the J2EE SDK has the same syntax as the one shipped with the Java 2TM Standard Edition. However, the J2EE SDK version programatically adds a JavaTM Cryptographic Extension provider that has impementations of RSA algorithms. This provider enables you to import RSA signed certificates.
To generate the certificate you run keytool
as follows:
2. Import the certificate.keytool -genkey -keyalg RSA -alias <certificate-alias>
In the previous command, substitute<certificate-alias>
with the alias of your certificate.Thekeytool
utility prompts you for the following information:keystore password - The default value of this password ischangeit
. You may change the password by editing theconfig/auth.properties
file.first and last name - Enter the fully-qualified name of your server. (This fully-qualified name includes the host name and the domain name.)organizational unit - Enter the appropriate value.organization - Enter the appropriate value.city or locality - Enter the appropriate value.state or province - Enter the unabbreviated name.two-letter country code - For the USA, the two-letter country code is US.key password for alias - Do not enter a password. Press Return.
If your certificate will be signed by a Certification Authority (CA) other than Verisign, then you must import the CA certificate. Otherwise, you may skip this step. (Even if your certificate will be signed by verisign Test CA, you must import it.) To import the certificate, perform these tasks:
a. Request the CA certificate from your CA. Store the certificate in a file.
b. To install the CA certificate in the Java 2 Standard Edition, runkeytool
as follows. (You must have the required permissions to modify the$JAVA_HOME/jre/lib/security/cacerts
file.)
3. Generate a Certificate Signing Request (CSR).keytool -import -trustcacerts -alis <ca-cert-alias> -file <ca-cert-file-name>
4. Send the contents of thekeytool -certreq -sigalg MD5withRSA -alias <cert-alias> -file <csr-filename>
<csr-filename>
for signing.
If you are using Verisign CA, go to http://digitalid.verisign.com/. Verisign will send the signed certificate in email. Store this certificate in a file.5. Import the signed certificate that you recieved in email into the server.
keytool -import -alias <cert-alias> -file <signed-cert-file>