Administering › Security › Using SSL to Secure Communication › Create Your Own Self-Signed Certificate

Create Your Own Self-Signed Certificate

This example uses the keytool utility, which is in the Java Runtime Environment (JRE).

To create your own self-signed certificate:

1. Enter the appropriate responses to the prompts.

   prompt>keytool -genkey -alias serverA -keyalg RSA -validity 365 -keystore keystore.ks
   

   Enter keystore password: MyNewSecretPassword  <the actual plaintext won't be shown>
   

   Re-enter new password: MyNewSecretPassword
   

   What is your first and last name?
   

     [Unknown]: serverA
   

   What is the name of your organizational unit?
   

     [Unknown]: dev
   

   What is the name of your organization?
   

     [Unknown]: ITKO
   

   What is the name of your City or Locality?
   

     [Unknown]: Dallas
   

   What is the name of your State or Province?
   

     [Unknown]: TX
   

   What is the two-letter country code for this unit?
   

     [Unknown]: US
   

   Is CN=serverA, OU=dev, O=ITKO, L=Dallas, ST=TX, C=US correct?
   

     [no]: yes
   

   Enter key password for <serverA>
   

           (RETURN if same as keystore password)  <just hit return>
   

   
   The utility creates a file containing a certificate that is valid for 365 days.

2. Copy the file to LISA_HOME and update local.properties:

   lisa.net.keyStore={{LISA_HOME}}keystore.ks
   

   lisa.net.keyStore.password=MyNewSecretPassword
   

3. The first time DevTest reads the plain text password, it converts the password to an encrypted property:

   lisa.net.keyStore.password_enc=33aa310aa4e18c114dacf86a33cee898
   

   The server side of the connection configuration is complete.

4. Configure the client.

   Because this certificate is self-signed, you explicitly tell the clients to trust the certificate. Typically, when you connect to an SSL service (for example, using a browser to https://www.MyBank.com) a trusted Certification Authority certifies the certificate. Because a trusted third party does not certify self-signed certificates, you must add the certificate to a Trust Store:

   lisa.net.trustStore={{LISA_HOME}}trustStore.ts
   

   lisa.net.trustStore.password=MyNewSecretPassword
   

   The same keytool utility manipulates trust stores. In general, a keystore contains one certificate and a trust store contains one or more certificates.

5. Export the certificate from the server keystore:

   keytool -exportcert -rfc -alias serverA -keystore keyStore.ks -file serverA.cer
   

   The -rfc means to export the certificate as ASCII text instead of binary, to make it easier to copy and paste. In our example, the resulting serverA.cer file looks like the following example:

   -----BEGIN CERTIFICATE-----
   

   MIICEzCCAXygAwIBAgIEThZnYzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJDQjELMAkGA1UE
   

   CBM420IxCzAJBgNVBAcTAkNCMQswCQYDVQQKEwJDQjELMAkGA1UECxMCQ0IxCzAJBgNVBAMTAkNC
   

   MB4XDTExMDcwODAyMTE0N1oXDTEyMDcwNzAyMTE0N1owTJELMAkGA1UEBhMCQ0IxCzAJBgNVBAgT
   

   AkNCMQswCQYDVQQHEwJDQjELMAkGA1UECDMCQ0IxCzAJBgNVBAsTAkNCMQswCQYDVQQDEwJDQjCB
   

   nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhYfaN+dCrKQwYZ+KeaaPUI8DeXNiqQ/mS+KGnXnh
   

   Pz08vdX/7HDLW4pzFhntjmkxxOi9dMwlO2thTD1cOxI571PotenMENo4nyiUAEnMK9MTiWEYr2cQ
   

   b6/TUueBCjRJ9I0GPCI0WPS+0Na2Q/wq8gPCHmDRpw1Xgo4uZ1v6C/ECAwEAATANBgkqhkiG9w0B
   

   AQUFAAOBgQByCsX9EoBFIGhcSwoRwEvapIrv8wTaqQPOKKyeIevSmbnERRu6+oi+cJftbdEfw6GG
   

   CBddJH+dGZ9VeqLU8zBGasbU+JPzG5ElOgOXcUGeQQEaM1YMv6XWrIwNSljQk/MPZSt3ROtJOlae
   

   JPKJXSQ610xof9+yLHH0ebUGhUjdlQ==
   

   -----END CERTIFICATE-----
   

6. Add this certificate to the client trust store.

   Because you are creating a trust store file, you enter the password twice. If you add further certificates to this client trust store, you enter the password once.

   prompt> keytool -importcert -file serverA.cer -keystore trustStore.ts
   

   Enter keystore password:
   

   Re-enter new password:
   

   Owner: CN=serverA, OU=dev, O=itko, L=Dallas, ST=Texas, C=US
   

   Issuer: CN=serverA, OU=dev, O=itko, L=Dallas, ST=Texas, C=US
   

   Serial number: 4e155338
   

   Valid from: Thu Jul 07 16:33:28 EST 2011 until: Wed Oct 05 17:33:28 EST 2011
   

   Certificate fingerprints:
   

        MD5:  5B:10:F6:C8:02:3E:36:F5:AA:6D:FC:10:EF:F5:7F:54
   

        SHA1: 09:DA:8E:71:7C:D5:BB:44:89:14:13:07:F4:A1:C7:06:35:CD:BE:B1
   

        Signature algorithm name: SHA1withRSA
   

        Version: 3
   

   Trust this certificate? [no]:  yes
   

   Certificate was added to keystore
   

   Now you have a cryptographically strong way of talking to your DevTest servers in the public cloud. You must have the certificate on both sides for two DevTest components to talk to each other.

7. If your client talks to more than one remote SSL server, run the same keytool command to import the certificate to the trust store.

   Note: In addition to the transport level security (the SSL), you can still enable fine-grain Access Control Lists (ACL). Access Control Lists let you require users to authenticate by user name and password. This type of security is similar to a banking website that uses HTTPS but still requires you to identify yourself.