3.3 Create Identity Store with Trusted Certificates Issued by CA
This topic provides the information for creating Identity Store with Trusted Certificates Issued by CA.
Create Public and Private Key Pair
Browse to the bin folder of JRE from the command prompt and type the following command. The items highlighted are placeholders, and should be replaced with suitable values when running the command.
keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize - sigalg sigalg -validity valDays -keystore keystoreTable 3-3 Keyword Description
| Keyword | Description |
|---|---|
alias |
Used to identify the public and private key pair created.
This alias is required later when configuring the SSL attributes for the managed servers in Oracle Weblogic Server. |
keyalg |
Key algorithm is used to generate the public and private key pair.
The RSA key algorithm is recommended. |
keysize |
Key size of the public and private key pairs generated.
A key size of 1024 or more is recommended. Please consult with your CA on the key size support for different types of certificates. |
sigalg |
This algorithm is used to generate the signature.
This algorithm should be compatible with the key algorithm and should be one of the values specified in the Java Cryptography API Specification and Reference. |
valdays |
The number of days for which the certificate is to be considered valid.
Please consult with your CA on this period. |
keystore |
Used to specify the location of the JKS file.
If no JKS file is present in the path provided, the one will be created. |
Table 3-4 Attribute Details
| Attributes | Description |
|---|---|
| Keystore Password | Specify a password used to access the Keystore.
This password needs to be specified later, when configuring the identity store in Kafka server. |
| Key Password | Specify a password used to access the private key stored in the Keystore.
This password needs to be specified later, when configuring the SSL attributes of the managed server(s) in Oracle Weblogic Server. |
| First and Last Name (CN) | Enter the domain name of the machine used to access Oracle Banking Virtual Account Management. For example, www.example.com. |
| Name of your Organizational Unit | The name of the department or unit making the request. For example, BDP.
Use this field to further identify the SSL Certificate for creating. For example, by department or by physical server. |
| Name of your Organization | The name of the organization making the certificate request. For example, Oracle Financial Services.
It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records. |
| Name of your City or Locality | The city in which your organization is physically located. For example, Mumbai. |
| Name of your State or Province | The state/province in which your organization is physically located. For example, Maharashtra. |
| Two-letter Country Code for this Unit | The country in which your organization is physically located. For example, US, UK, IN, etc. |
The sample execution command is listed below:
D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool -genkeypair -alias cvrhp0729 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 365 -keystore
D:\keystores\AdminOBVAMKeyStore.jks
Enter keystore password: <Enter a password to protect the keystore>
Re-enter new password: <Confirm the password keyed above>
What is your first and last name?
[Unknown]: cvrhp0729.i-flex.com
What is the name of your organizational unit?
[Unknown]: BPD
What is the name of your organization?
[Unknown]: Oracle Financial Services
What is the name of your City or Locality?
[Unknown]: Mumbai
What is the name of your State or Province?
[Unknown]: Maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=cvrhp0729.i-flex.com, OU=BPD, O=Oracle Financial Services, L=Mumbai, ST=Maharashtra, C=IN correct? [no]: yes
Enter key password for <cvrhp0729>
RETURN if same as keystore password): <Enter a password to protect the key>
Re-enter new password: <Confirm the password keyed above>Generate CSR
To purchase an SSL certificate, the user must generate the CSR for the server where the certificate will be installed.
A CSR is generated from the server and is the server's unique fingerprint. The CSR includes the server's public key, which enables server authentication and secure communication. If the keystore file or the password is lost and a new one is generated, the SSL certificate and the private key will no longer match. A new SSL Certificate will have to be requested.
The CSR is created by running the following command in the bin directory of the JRE:
keytool -certreq -alias alias –file certreq_file -keystore keystoreTable 3-5 Keyword Description
| Keyword | Description |
|---|---|
alias |
Used to identify the public and private key pair created.
The private key associated with the alias will be utilized to create the CSR. Specify the alias of the key pair created in the previous step. |
certreq_file |
This is the file in which the CSR will be stored. |
keystore |
This is the location of the keystore containing the public and private key pair. |
The sample execution command is listed below:
D:\Oracle\Weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool -certreq -alias cvrhp0729 -file D:\keystores\certreq.csr -keystore
D:\keystores\AdminOBVAMKeyStore.jks
Enter keystore password: [Enter a password to protect the keystore]
Enter key password for <cvrhp0729>[Enter the password used to access the key in the keystore]Parent topic: Obtain the Identity Store