Signing Digital Certificates
Signing Digital Certificates
5. Enter yes, and then press the Enter or Return key. The following information displays:
Certificate was added to keystore[Saving cacerts.jks]
Signing Digital Certificates
After you've created a digital certificate, you will want to have it signed by its owner. After the
digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to
forge. For sites involved in e-commerce or any other business transaction in which
authentication of identity is important, a certificate can be purchased from a well-known
certificate authority such as VeriSign or Thawte.
As mentioned earlier, if authentication is not really a concern, you can save the time and
expense involved in obtaining a CA certificate and simply use the self-signed certificate.
Obtaining a Digitally Signed Certificate
This example assumes that the keystore is named keystore.jks, the certificate file is
server.cer
, and the CA file is cacerts.jks. To get your certificate digitally signed by a CA:
1. Generate a Certificate Signing Request (CSR).
keytool -certreq -alias server-alias -keyalg RSA -file
csr-filename
-keystore cacerts.jks
2. Send the contents of the csr-filename for signing.
3. If you are using Verisign CA, go to
the signed certificate in email. Store this certificate in a file.
Using a Different Server Certificate with the Application Server
Follow the steps in
, to create your own server
certificate, have it signed by a CA, and import the certificate into keystore.jks.
Make sure that when you create the certificate, you follow these rules:
When you create the server certificate, keytool prompts you to enter your first and last
name. In response to this prompt, you must enter the name of your server. For testing
purposes, this can be localhost.
The server/host specified in the keystore must match the host identified in the
javaee.server.name
property specified in the
tut-install/javaeetutorial5/examples/bp-project/build.properties file for running
the example applications.
Your key/certificate password in keystore.jks should match the password of your
keystore, keystore.jks. This is a bug. If there is a mismatch, the Java SDK cannot read the
certificate and you get a "tampered" message.
Establishing a Secure Connection Using SSL
Chapter 28 · Introduction to Security in the Java EE Platform
791
