CA Risk Authentication Administration Guide › Configure SSL › Prepare for SSL Communication › Generate Certificate Requests by Using a Utility

Generate Certificate Requests by Using a Utility

You can also generate a certificate by using any utility or tool of your choice. The keytool utility (which is available with JDK) has been used for the following operations:

1. Generate the keystore.

   keytool stores the keys and certificates in a file termed a keystore, which is a repository of certificates used for identifying a client or a server. Typically, a keystore is specific to one client or one server. The default keystore implementation implements the keystore as a file. It protects private keys by using a password. The keystores are created in the directory from which you run keytool.

   Use the following command to generate the keystore:

   $%JAVA_HOME%/\bin/\keytool -genkey -keyalg RSA -alias <server/or/client> -keystore <keystore_name>.jks -storetype JKS -storepass <password> -keysize 1024 -validity <validity_period_in_days>
   

2. Generate the Certificate Signing Request (CSR).

   CSR is encrypted identification text (see the first table in Obtaining Certificates Directly Through a Certificate Authority (CA) ), and must be generated on the system where the certificate will be used. A private key is usually created at the same time that you create the CSR.

   Use the following command to generate the CSR:

   $%JAVA_HOME%/\bin/\keytool -certreq -v -alias <server/or/client> -keystore <keystore_name>.jks -storepass <password> -file <server/or/client>certreq.csr
   

3. Generate the certificate by submitting the CSR generated in the preceding step to a CA.
   1. Access the link to the CA of your choice.

      For example, if you are using MSCA, then the link will be similar to:

      http://<IP_Address_of_the_CA>/certsrv/

   2. Navigate to the link to create and submit the certificate request.

      For example, if you are using MSCA, then under Select a task section, click the Request a certificate option, then advanced certificate request option, and then the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file option (or if you are renewing the certificate, then submit a renewal request by using a base-64-encoded PKCS #7 file). Finally, copy and paste the contents of <server/or/client>clientcertreq.csr in the Base-64-encoded certificate request field and click Submit.

   3. Download the following files in the Base-64-encoded format:
      • Signed certificate as clientcert.cer
      • Complete certficate chain as clientcertchain.p7b
      • CA certficate as clientcacert.cer
4. Import the certificate chain in to keystore.

   Use the following command to do so:

   $%JAVA_HOME%/\bin/\keytool -import -keystore <server/or/client>keystore.jks -storepass <password> -file <server/or/client>certchain.p7b -alias <server/or/client>
   

5. Convert the certificates or keystore to the required formats:
   • From DER Format
     • To convert DER format to PEM, use the following command:

       openssl x509 -inform der -in <server/or/client>cert.cer -out <server/or/client>cert.pem
       

     • To convert DER format to PKCS#12, first convert DER to PEM using the preceding command, and then convert PEM to PKCS#12 use the following command:

       openssl pkcs12 -export -out <server/or/client>cert.pfx -inkey privateKey.key -in <server/or/client>cert.cer -certfile <server/or/client>cacert.cer
       

   • From P7B Format
     • To convert P7B format to PEM, use the following command:

       openssl pkcs7 -print_certs -in <server/or/client>cert.p7b -out <server/or/client>cert.cer
       

     • To convert P7B format to PKCS#12, first convert P7B to PEM using the preceding command, and then convert PEM to PKCS#12 use the following command:

       openssl pkcs12 -export -in <server/or/client>cert.cer -inkey privateKey.key -out <server/or/client>cert.pfx -certfile <server/or/client>cacert.cer