test

Configuring Java CAPS for SSL Support

ProcedureTo Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

  1. Perform the following operations from the command line.


    keytool –keystore clientkeystore –genkey –alias client

Enter keystore password:  javacaps
What is your first and last name?
[Unknown]:  development.sun.com
What is the name of your organizational unit?
[Unknown]:  Development
What is the name of your organization?
[Unknown]:  Sun
What is the name of your City or Locality?
[Unknown]:  Monrovia
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, 
C=US> correct?
[no]:  yes

Enter key password for <client>
(RETURN if same as keystore password):

  2. Generate the Certificate Signing Request.


    keytool –keystore clientkeystore –certreq –alias client –keyalg rsa 
–file client.csr

  3. Generate a signed certificate for the associated Certificate Signing Request.


    openssl  x509  -req  -CA 
    ca-certificate.pem.txt -CAkey ca-key.pem.txt 
    -in client.csr -out client.cer  -days 365  -CAcreateserial

  4. Use the keytool to import the CA certificate into the client keystore.


    keytool -import -keystore clientkeystore -file ca-certificate.pem.txt  
-alias theCARoot 

Enter keystore password:  javacaps
Owner: EmailAddress=development@sun.com, CN=development.sun.com, OU=Development,
 O=Sun, L=Monrovia, ST=California, C=US
Issuer: EmailAddress=development@sun.com, CN=development.sun.com, 
OU=Development, O=Sun, L=Monrovia, ST=California, C=US
Serial number: 0
Valid from: Tue May 08 15:09:07 PDT 2007 until: Wed May 08 
    15:09:07 PDT 2008
Certificate fingerprints:
MD5:  60:73:83:A0:7C:33:28:C3:D3:A4:35:A2:1E:34:87:F0
SHA1: C6:D0:C7:93:8E:A4:08:F8:38:BB:D4:11:03:C9:E6:CB:9C:D0:72:D0
Trust this certificate? [no]:  yes
Certificate was added to keystore

  5. Use the keytool to import the signed certificate for the associated client alias in the keystore.


    keytool –import –keystore clientkeystore –file client.cer –alias client

Enter keystore password: javacaps
Certificate reply was installed in keystore
    Caution – Caution –

    The following error will be generated if there is no certificate chain in the client certificate.


    keytool -import -keystore clientkeystore -file client.cer -alias client

Enter keystore password: javacaps
keytool error: java.lang.Exception: Failed to establish chain from reply

    This error is because the CA’s certificate was not imported into the KeyStore first. You must import the CA's certificate (step 4), then import the client.cer file itself to form a certificate chain (step 5).

    Now that we have a private key and an associating certificate chain in the KeyStore clientkeystore, we can use it as a KeyStore for client (adapter) authentication. The only warning is that the CA certificate must be imported into the trusted certificate store of the web server to which you will be connecting. Moreover, the web server must be configured for client authentication (httpd.conf for Apache, for example).