Generating a certificate signing request (CSR) for public key certificates

If the SSL data exchange is among already trusted partners who trust your identity, self-signed certificates may be adequate. However, a certificate is more likely to be trusted by others when it is signed by a certifying authority (CA).

To get a certificate signed by the CA using the keytool utility, you first must generate a Certificate Signing Request (CSR), then give the CSR to a CA. The CA then signs the certificate and returns it to you.

You generate a CSR by entering the following command:

keytool -certreq -alias wsadapter -file wsadapter.csr
  -keystore c:\security\keystore
 

In the command, alias is the keystore alias that you created for the private key. The keytool utility generates the CSR file, which you provide to your CA. Your CA then provides you with the signed certificate. You will have to import this certificate into your keystore. To do so, you would enter the following command:

keytool -import -alias wsadapter -keystore c:\security\keystore -trustcacerts 
 -file casignedcertificate.cer
 

Once you import, the self-signed certificate in keystore is replaced by the CA-signed certificate.

Copyright IBM Corp. 2003