If the SSL data exchange is among already trusted partners who trust your identity, self-signed certificates may be adequate. However, a certificate is more likely to be trusted by others when it is signed by a certifying authority (CA).
Procedure
- Generate a Certificate Signing Request (CSR).
Before ordering SSL certificates, you must generate a CSR, an encrypted body of text, on your server. Your CSR contains encoded information specific to your company and domain name.
Use this command to generate a CSR, using the PKCS#10 format.
keytool -certreq -v -keystore keystore_file -alias machinename –file certreq_file
For example:
keytool -certreq -v -keystore "/usr/local/rc53/rc.keystore" -alias hawk -file rc.csr
A CSR is sent to a CA. The CA authenticates the certificate requestor offline and returns a certificate or certificate chain. Use this certificate or certificate chain to replace the existing certificate chain (which consists of a self-signed certificate) in the keystore.
- Replace your self-signed certificate with a certificate or certificate chain returned by the CA.
- Import the entire trusted CA certificates to your keystore providing unique alias names.
These certificates are used to authenticate the public key of the CA.
keytool -import -v -trustcacerts -alias unique_alias -file CA_certificate_file -keystore keystore_file
For example:
keytool -import -v -trustcacerts -alias root1 -file root1.certificate -keystore "/usr/local/rc53/rc.keystore"
- Import the certificate that the CA returned by typing this command.
keytool -import -v -alias unique_alias -file your_certificate_file -keystore keystore_file
Note: This command does not contain the -trustcacerts argument.
For example:
keytool -import -v -alias rcCertificate -file rc.certificate -keystore "/usr/local/rc53/rc.keystore"