Creating a Server Certificate
Creating a Server Certificate
procedure outlined in the next section,
digital certificate that can be used by your application or web server to enable SSL.
One tool that can be used to set up a digital certificate is keytool, a key and certificate
management utility that ships with the Java SE SDK. It enables users to administer their own
public/private key pairs and associated certificates for use in self-authentication (where the user
authenticates himself or herself to other users or services) or data integrity and authentication
services, using digital signatures. It also allows users to cache the public keys (in the form of
certificates) of their communicating peers. For a better understanding of keytool and public
key cryptography, read the keytool documentation at
Creating a Server Certificate
A server certificate has already been created for the Application Server. The certificate can be
found in the domain-dir/config/ directory. The server certificate is in keystore.jks. The
cacerts.jks
file contains all the trusted certificates, including client certificates.
If necessary, you can use keytool to generate certificates. The keytool utility stores the keys
and certificates in a file termed a keystore, a repository of certificates used for identifying a client
or a server. Typically, a keystore is a file that contains one client or one server's identity. It
protects private keys by using a password.
If you don't specify a directory when specifying the keystore file name, the keystores are created
in the directory from which the keytool command is run. This can be the directory where the
application resides, or it can be a directory common to many applications.
To create a server certificate, follow these steps:
1. Create the keystore.
2. Export the certificate from the keystore.
3. Sign the certificate.
4. Import the certificate into a truststore: a repository of certificates used for verifying the
certificates. A truststore typically contains more than one certificate.
Run keytool to generate the server keystore, keystore.jks. This step uses the alias
server-alias
to generate a new public/private key pair and wrap the public key into a
self-signed certificate inside keystore.jks. The key pair is generated using an algorithm of type
RSA, with a default password of changeit. For more information on keytool options, see its
online help at
Establishing a Secure Connection Using SSL
Chapter 28 · Introduction to Security in the Java EE Platform
789
