Creating a Keystore File and Keystore Password for HTTPS Connections

HTTPS requires an SSL Certificate. When you generate an SSL Certificate, you are creating a keystore file and a keystore password for use when the browser interface connects to the Master Server.

You can choose whether to have a Certifying Authority sign the certificate or you can use a self-signed certificate. A certificate signed by a Certifying Authority is trusted by browsers, therefore the browser does not issue a warning when a user connects to the browser interface on the Master Server. Generally, Certifying Authorities charge a fee to sign a certificate. A self-signed certificate is available for use immediately after you generate the certificate because you do not have to wait for the Certifying Authority to sign it. However, a self-signed certificate is not trusted by the browser, so the browser issues a warning each time a user connects to the Master Server.

How to Generate SSL Certificates

To enable the browser interface to use SSL, you must first generate an SSL Certificate. You create a keystore file and a keystore password while you generate an SSL Certificate.

Before You Begin

To create a keystore file and a keystore password you will use keytool. keytool is a security tool available with the JRE. If you do not have keytool installed, you must install keytool before you can configure the provisioning system to use HTTPS. The N1 Service Provisioning System installs the JRE. If you are configuring HTTPS after you have installed the provisioning system, keytool is installed on the system.

Steps

1. Change to the directory in which you installed the JRE.

   % cd JAVA-HOME/bin

   JAVA-HOME is the directory where you installed the JRE. If you installed the JRE with the N1 Service Provisioning System 5.1, the JRE is installed in the N1SPS5.1-home/common/jre/bin directory.

2. Generate the certificate.

   % keytool -genkey -alias tomcat -keyalg RSA -keystore /keystore-location -storepass password

   Set /keystore-location to the location and filename of the keystore file where you want to store the generated key.

   Set password to whatever password that you want to use as the keystore password.

3. Follow the prompts to complete.

   Do not include any punctuation in the name of your organization, otherwise the Java Certificate tool fails when attempting to generate the request. The Common Name (CN) must be set to the fully qualified host name, including the domain name, component of the URI.

How to Obtain a Signature for an SSL Certificate

If you want to use a Certificate signed by a Certifying Authority, follow this procedure to submit the Certificate to the Certifying Authority to be signed.

Steps

1. Generate the Certificate Request.

   % keytool -certreq -v -alias tomcat -keyalg RSA -keystore /keystore-location

   /keystore-location is the location and filename where you stored the generated key.

2. Send the Certificate Request to the Certifying Authority.

   Follow the instructions provided by the Certifying Authority. The Certifying Authority returns a Certificate Reply.

3. Save the Certificate Reply to a file.

4. Verify the Certificate Reply.

   % keytool -printcert -file certificate-reply-file

   certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

5. Import the Certificate Reply file to the keystore file.

   % keytool -v -import -trustcacerts -keystore /keystore-location -file certificate-reply-file -alias tomcat

   /keystore-location is the location and filename where you stored the generated key. certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

6. Verify the imported Certificate Reply.

   % keytool -v -list -keystore /keystore-location

   /keystore-location is the location and filename where you stored the generated key.