test

N1 Service Provisioning System 4.1 Installation Guide

Creating Key Stores

The N1 Service Provisioning System 4.1 uses the keytool utility provided with the JRE. The keytool utility is wrapped in a shell script, crkeys, to enable you to create key stores. The script ensures that the correct parameters are supplied to the `keytool' utility.

When you create a key store, the X.509 Distinguished Name in the self-signed certificate is set to the following.


CN=application_name OU=Engineering O=Sun Microsystems Inc L=Menlo Park ST=CA C=US

ProcedureHow to Create Key Stores

Step

  1. Generate the keys.


    % crkeys -options

    Use the following options to create key stores based on the type of SSL connectivity you want to use.

    -alias application_hostname

    Specifies an alias for the certificate or the key pair. Use the hostname of the application as the alias. The alias names must be unique within a key store.

    -cpass

    Changes the password of the key store and all the keys within the key store.

    -delete

    Specifies that the key pair or certificate for the specified entity should be deleted from key store.

    -export

    Exports a self-signed certificate of the specified entity to the specified file.

    -file cert_file

    Specifies the name of the file that the certificate is to be imported from or exported to.

    -generate

    Generates a new key pair for the specified alias.

    -help

    Lists all the options.

    -import

    Imports a self-signed certificate of an entity that is allowed to connect to this node. When importing the certificate the hostname of the node that this certificate represents should be used as the alias.

    -keyalg keyalg

    The key generation algorithm. Defaults to `RSA'. Can be either `RSA' or `DSA'.

    -keysize keysize

    The key size. Defaults to 1024, Can be any multiple of 64 in the range 512-1024 for DSA keys and range 512-2048 for RSA keys.

    -list

    Lists all the entities contained in the key store.

    -new newpassword

    Specifies the new password for the key store and all the keys in the key store.

    -password password

    Specifies the password for the key store. If a password is not specified, the user is prompted for one.

    -private

    Specifies the private key store as the target of the operation.

    -validity days_valid

    Number of days the self-signed certificate is valid.

    -trust

    Specifies the trust key store as the target of the operation.

Example 7–1 crkeys Command Examples

The following examples show how to use the crkeys command.

To generate a public-private key pair:


crkeys -private –generate|-delete
    –alias application_hostname [-keyalg keyalg] 
[-keysize keysize] [-validity days_valid] 
[–password password]

To export the self signed public key for a key pair to a file:


crkeys -private –export –file cert_file
 –alias application_hostname [–password password]

To import an exported, as shown in the previous example, self signed public key into the trust store:


crkeys –trust –import –file cert_file
 –alias application_hostname [-password password]

To delete a key or key pair:


crkeys {-private|–trust} -delete
 –alias application_hostname [-password password]

To list all of the public keys:


crkeys {-private|–trust} –list [-password password]

To change the SSL key store, both the trust and the private store, password:


crkeys –cpass -password oldpassword 
-new newpassword

To print instructions for using the crkeys command:


crkeys -help