Configuring Java CAPS for SSL Support

Creating a Sample CA Certificate

The sample given in this section demonstrates the use of the OpenSSL utility to create a CA. This generated CA is then used to sign a CSR (see Signing Certificates With Your Own CA), whether it is generated from keytool or OpenSSL.

ProcedureTo Create a Sample CA Certificate

For testing purposes, a sample CA can be generated. To avoid spending additional funds to have a commercial CA sign test certificates, a sample is generated and used to sign the test certificate.

  1. Perform the following operations from the command line:

    openssl  req  -config c:\openssl\bin\openssl.cnf 
     -new  -x509  -keyout  ca-key.pem.txt -out  ca-certificate.pem.txt  -days  365
    Using properties from c:\openssl\bin\openssl.cnf
    Loading ’screen’ into random state: done
    Generating a 1024 bit RSA private key
    writing new private key to ’ca-key.pem.txt’
    Enter PEM pass phrase:
    Verifying password: Enter PEM pass phrase:
    You are about to be asked to enter information that will be 
        incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name 
        or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ’.’, the field will be left blank.
    Country Name (2 letter code) []:US
    State or Province Name (full name) []:California
    Locality Name (eg, city) []:Monrovia
    Organization Name (eg, company) []:Sun
    Organizational Unit Name (eg, section) []:Development
    Common Name (eg, your websites domain name) []
    Email Address []  

    You are prompted for password information.

  2. Enter a password and remember this password for signing certificates with the CA’s private key.

    This command creates a private key and the corresponding certificate for the CA. The certificate is valid for 365 days starting from the date and time it was created.

    The properties file C:\openssl\bin\openssl.cnf is needed for the req command. The default config.cnf file is in the OpenSSL package under the apps sub-directory.

    Note –

    To use this file in Windows, you must change the paths to use double back-slashes. See Windows OpenSSL.cnf File Example for a complete Config.cnf file example, which is known to work in a Windows environment.