Configuring Java CAPS for SSL Support

Signing Certificates With Your Own CA

The example in this section shows how to create a Certificate Signing Request with keytool and generate a signed certificate for the Certificate Signing Request with the CA created in the previous section. The steps shown in this section, for generating a KeyStore and a Certificate Signing Request, were already explained under Creating a KeyStore in JKS Format.

Note –

No details are given here for the keytool commands. See Creating a KeyStore in JKS Format for more information.

ProcedureTo Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

  1. Perform the following operations from the command line.

    keytool –keystore clientkeystore –genkey –alias client
    Enter keystore password:  javacaps
    What is your first and last name?
    What is the name of your organizational unit?
    [Unknown]:  Development
    What is the name of your organization?
    [Unknown]:  Sun
    What is the name of your City or Locality?
    [Unknown]:  Monrovia
    What is the name of your State or Province?
    [Unknown]:  California
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is <, OU=Development, O=Sun, L=Monrovia, ST=California, 
    C=US> correct?
    [no]:  yes
    Enter key password for <client>
    (RETURN if same as keystore password):
  2. Generate the Certificate Signing Request.

    keytool –keystore clientkeystore –certreq –alias client –keyalg rsa 
    –file client.csr
  3. Generate a signed certificate for the associated Certificate Signing Request.

    openssl  x509  -req  -CA 
        ca-certificate.pem.txt -CAkey ca-key.pem.txt 
        -in client.csr -out client.cer  -days 365  -CAcreateserial
  4. Use the keytool to import the CA certificate into the client keystore.

    keytool -import -keystore clientkeystore -file ca-certificate.pem.txt  
    -alias theCARoot 
    Enter keystore password:  javacaps
    Owner:,, OU=Development,
     O=Sun, L=Monrovia, ST=California, C=US
    OU=Development, O=Sun, L=Monrovia, ST=California, C=US
    Serial number: 0
    Valid from: Tue May 08 15:09:07 PDT 2007 until: Wed May 08 
        15:09:07 PDT 2008
    Certificate fingerprints:
    MD5:  60:73:83:A0:7C:33:28:C3:D3:A4:35:A2:1E:34:87:F0
    SHA1: C6:D0:C7:93:8E:A4:08:F8:38:BB:D4:11:03:C9:E6:CB:9C:D0:72:D0
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  5. Use the keytool to import the signed certificate for the associated client alias in the keystore.

    keytool –import –keystore clientkeystore –file client.cer –alias client
    Enter keystore password: javacaps
    Certificate reply was installed in keystore

    Caution – Caution –

    The following error will be generated if there is no certificate chain in the client certificate.

    keytool -import -keystore clientkeystore -file client.cer -alias client
    Enter keystore password: javacaps
    keytool error: java.lang.Exception: Failed to establish chain from reply

    This error is because the CA’s certificate was not imported into the KeyStore first. You must import the CA's certificate (step 4), then import the client.cer file itself to form a certificate chain (step 5).

    Now that we have a private key and an associating certificate chain in the KeyStore clientkeystore, we can use it as a KeyStore for client (adapter) authentication. The only warning is that the CA certificate must be imported into the trusted certificate store of the web server to which you will be connecting. Moreover, the web server must be configured for client authentication (httpd.conf for Apache, for example).