Monday, May 16, 2005
How to request a server SSL certificate
Lets say you need to order a server side SSL certificate from Verisign or Thwate or some other Certification Authority (CA). Here is how you can use Java's in-built keytool to create a CSR, request a certificate and then import it in the keystore database.:
Create your key. Always use the full state name, no abbreviations. CN (Common name) should be domain of your site. This will also create a keystore if it doesnt already exist.
keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.mysite.com, ou=None, L=Redmond, ST=Washington, o=MyCompany, c=US"
Now generate the Certificate Signing Request known as a CSR. This process should create a file called "www.mysite.com.csr" in your current directory.
keytool -certreq -sigalg MD5withRSA -file www.mysite.com.csr -keystore keystore -storepass password
Once Verisign is done with their verification process they will sign and issue you a certificate. They might email it to you. Some CA's like Thwate provide the facility of login/password and ask you to download the certificate.
Once you save the certificate file locally lets say as "www.mysite.com.cert", you will need to import it into your keystore.
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.mysite.com.cert
A server side certificate contains the name of the site/domain it is intended for and cannot be shared across domains. It is valid only for a particular domain, unlike client side SSL certificates which can be shared.
You can follow this link on keytool, if you need more information about using it.
Create your key. Always use the full state name, no abbreviations. CN (Common name) should be domain of your site. This will also create a keystore if it doesnt already exist.
keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.mysite.com, ou=None, L=Redmond, ST=Washington, o=MyCompany, c=US"
Now generate the Certificate Signing Request known as a CSR. This process should create a file called "www.mysite.com.csr" in your current directory.
keytool -certreq -sigalg MD5withRSA -file www.mysite.com.csr -keystore keystore -storepass password
Once Verisign is done with their verification process they will sign and issue you a certificate. They might email it to you. Some CA's like Thwate provide the facility of login/password and ask you to download the certificate.
Once you save the certificate file locally lets say as "www.mysite.com.cert", you will need to import it into your keystore.
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.mysite.com.cert
A server side certificate contains the name of the site/domain it is intended for and cannot be shared across domains. It is valid only for a particular domain, unlike client side SSL certificates which can be shared.
You can follow this link on keytool, if you need more information about using it.
Copyright Anand Jain 2004, 2005. All rights
reserved.
Webmaster
