The Java EE 5 Tutorial

Signing Digital Certificates

After you’ve created a digital certificate, you will want to have it signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte.

As mentioned earlier, if authentication is not really a concern, you can save the time and expense involved in obtaining a CA certificate and simply use the self-signed certificate.

Obtaining a Digitally Signed Certificate

    This example assumes that the keystore is named keystore.jks, the certificate file is server.cer, and the CA file is cacerts.jks. To get your certificate digitally signed by a CA:

  1. Generate a Certificate Signing Request (CSR).

    keytool -certreq -alias server-alias -keyalg RSA -file csr-filename 
    -keystore cacerts.jks
  2. Send the contents of the csr-filename for signing.

  3. If you are using Verisign CA, go to Verisign will send the signed certificate in email. Store this certificate in a file.