Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-05-19 12:53:33.0

TN 7806 - Creating an Entrust SSL certificate for Sun Java System Application Server

Use keytoolto generate, import, and export certificates. By default, keytoolcreates a keystore file in the directory where it is run.

Key Pair and Certificate Signing Request (CSR) Generation

1.      Change to the directory where the certificate is to be run.

2.      Enter the following keytoolcommand to generate the certificate in the keystore file, keystore.jks:

keytool -genkey -alias server-alias -keyalg RSA

-keypass changeit -storepass changeit

-keystore keystore.jks

3.      Use any unique name as your keyAlias. If you have changed the keystore or private key password from their default, then substitute the new password for changeitin the above command.

4.      A prompt appears that asks for your name, organization, and other information that keytooluses to generate the certificate.

5.      Confirm you keystore has been created.

keytool –list –v -keystore keystore.jks

6.      Enter the following keytoolcommand to generate the certificate signing request to the file server.csr:

keytool -certreq –keyalg RSA -alias keyAlias -storepass changeit

-file server.csr -keystore keystore.jks

7.      Paste this CSR into your Entrust enrollment submittal page. The CSR should look similar to this:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEQMA4GA1UEChMHRW50cnVzdDETMBEGA1UECxMKRW50cnVzdCBDUzEhMB8GA1UEAxMYd3d35w6T+q/f+wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAF+0hqAqXumz/vGrzGVhKHlnxd7HW3ezSGIbIUcOy1YdDc/1ZCqRpu3utYIZ6welK++l+QjlbL6p5RJJETkkLKXjb/WVFajNuPl7Yob9pbwA7JBrCCKbFj+kzDNbGhCR1RgFA9vQj5vob41Vj+k+TQchliuTLL9rFXNDHrtgTMtA=

-----END NEW CERTIFICATE REQUEST-----

Server Certificate Installation

1.      Download the webserver and cross certificates generated by Entrust. Save the webserver certificate (i.e. server.cer) and cross certificate (i.e. cross.cer) in the directory containing the keystore and truststore files.

2.      To create the truststore file cacerts.jksand add the cross certificate to the truststore, enter the following keytoolcommand:

keytool -import -v –trustcacerts -alias entrust -file cross.cer

-keystore cacerts.jks -keypass changeit -storepass changeit

3.      If you have changed the keystore or private key password from their default, then substitute the new password for changeitin the above command.

The tool displays information about the certificate and prompts whether you want to trust the certificate.

4.      Type yes, then press Enter.

Then keytooldisplays something like this:

Certificate was added to keystore

[Saving cacerts.jks]

5.      To add the server certificate to the truststore, enter the following keytoolcommand:

keytool -import -v –trustcacerts -alias keyAlias -file server.cer

-keystore cacerts.jks -keypass changeit -storepass changeit

6.      If you have changed the keystore or private key password from their default, then substitute the new password for changeitin the above command.

The tool displays information about the certificate and prompts whether you want to trust the certificate.

7.      Type yes, then press Enter.

Then keytooldisplays something like this:

Certificate was added to keystore

[Saving cacerts.jks]

8.      Restart the Application Server.

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable