Creating a New SSL Certificate Using Keytool
Following page demonstrate step-by-step instructions for creating an SSL certificate.
An SSL certificate can be purchased from a certificate authority (CA).
You can use any CA that supports a certificate for Java/Tomcat.
Prerequisite: Java SDK 1.8 or above must be installed before you can
generate your CSR. Once installed, you will be using the "keytool"
command to create your key pair and CSR.
We strongly recommend running the following commands in a clean folder that does not have any files. A very common problem that users run into occurs when the
first command is run in folderA and third is run in folderB.
We also recommend adding
keytool in your $PATH variable so you don't have to explicitly type the location where it is saved.
Generating a private/public key pair
- Open a console (DOS prompt) on Windows or Terminal on Linux/Unix.
- Enter the following command.
keytool -keysize 2048 -genkey -alias xeams -keyalg RSA -keystore synametrics.cert
- You will be prompted for a password. You will need this password later on.
- Enter Distinguished Name (DN) information:
- First and last name - This is the Common name: The common name is the
fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your
certificate. Do not enter your personal name in this field.
- Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
City/Locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
- State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
- Country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
- Confirm that the Distinguished Name information is correct.
This steps creates a keystore, which is a file that holds certificates.
Generating a CSR
Next step is to submit a CSR (SSL Certificate Signing Request) to a certificate authority.
Submitting CSR and waiting for response
- Enter the following command:
keytool -certreq -keyalg RSA -alias xeams -file xeams.csr -keystore synametrics.cert
- Enter the keystore password you specified earlier.
- This creates a new file called xeams.csr. Open this file in any editor like Notepad.
- Cut/copy and paste the generated CSR into enrollment form of your certificate authority.
- Select Tomcat as your server software.
Once you submit a CSR to a certificate authority, you have to wait for their response. It could take anywhere from a few minutes to up to two days before you get a response. The response from the certificate authority typically includes an attached file containing your certificate. Some vendors also ask you to download the certificate from a secure website rather than emailing them to you.
You will probably get more than one file from the certificate authority. An SSL certificate creates a trust relationship by creating a chain of certificates. This is analogous to saying that you trust person A, but not C. However, person A trusts person B, who then trusts C. Therefore, it is okay to trust C.
Every file you get from a certificate authority must be added to the keystore you create in the first step.
Adding certificates to the keystore
You must add certificates in the order specified by the certificate authority. The following example shows how to add a root certificate, two intermediate certificates, and finally the actual certificate that is create for you.
Importing Root Certificate
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore synametrics.cert
Now add two intermediary certificates. Replace File1 and File2 with actual values provided to you.
keytool -import -trustcacerts -alias Alias1 -file File1.crt -keystore synametrics.cert
keytool -import -trustcacerts -alias Alias2 -file File2.crt -keystore synametrics.cert
Finally, add the actual certificate that is meant for your copy of Xeams using the following command.
keytool -import -trustcacerts -alias xeams -file yourCertificate.crt -keystore synametrics.cert
- Connect to your Admin Console as admin
- Click Manage SSL Certificate under Server Configuration.
- Ensure the file name is correct
- Enter the password you used for the keystore
- Save and restart Xeams.