Monday, May 16, 2005

How to request a server SSL certificate

Lets say you need to order a server side SSL certificate from Verisign or Thwate or some other Certification Authority (CA). Here is how you can use Java's in-built keytool to create a CSR, request a certificate and then import it in the keystore database.:

Create your key. Always use the full state name, no abbreviations. CN (Common name) should be domain of your site. This will also create a keystore if it doesnt already exist.
keytool -v -genkey -keyalg RSA -keystore keystore -dname ", ou=None, L=Redmond, ST=Washington, o=MyCompany, c=US"

Now generate the Certificate Signing Request known as a CSR. This process should create a file called "" in your current directory.
keytool -certreq -sigalg MD5withRSA -file -keystore keystore -storepass password
Go to Verisign's (or any CA's) site and submit the CSR file. There are two kinds of certificates that you can order. Either the 40-bit or the 128-bit. If you anticipate people outside of the US coming to your site (and using SSL, obviously) then you should go for a 40-bit certificate. If this is needed for a machine-to-machine or for a US only site, then you can go for a 128-bit certificate. 128-bit encryption offers 288 times as many possible combinations as 40-bit encryption. That is over a trillion times a trillion times stronger. But not all the browsers world-wide have the capability to decrypt 128 bit encrypted stuff (because of US export regulations) and so you might have to settle with the 40-bit certificate.

Once Verisign is done with their verification process they will sign and issue you a certificate. They might email it to you. Some CA's like Thwate provide the facility of login/password and ask you to download the certificate.

Once you save the certificate file locally lets say as "", you will need to import it into your keystore.
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file

A server side certificate contains the name of the site/domain it is intended for and cannot be shared across domains. It is valid only for a particular domain, unlike client side SSL certificates which can be shared.

You can follow this link on keytool, if you need more information about using it.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.