CA AuthMinder Administration Guide › Configuring SSL › Prepare for SSL Communication › Using a Utility to Generate Certificate Request

Using a Utility to Generate Certificate Request

You can also generate a certificate request by using any utility or tool of your choice, and then submit it to CA for obtaining the certificate. The keytool utility (which is available with JDK) has been used for the following operations:

1. Generate the keystore.

   keytool stores the keys and certificates in a file termed as keystore, which is a repository of certificates used for identifying a client or a server. Typically, a keystore is specific to one client or one server. The default keystore implementation implements the keystore as a file. It protects private keys by using a password. The keystores are created in the directory from which you run keytool.

   Use the following command to generate the keystore:

   %JAVA_HOME%/bin/keytool -genkey -keyalg RSA -alias <server/or/client> -keystore <keystore_name>.jks -storetype JKS -storepass <password> -keysize 1024 -validity <validity_period_in_days>
   

2. Generate the Certificate Signing Request (CSR).

   CSR is encrypted identification text, and must be generated on the system where the certificate will be used. A private key is usually created at the same time that you create the CSR.

   Use the following command to generate the CSR:

   %JAVA_HOME%/bin/keytool -certreq -v -alias <server/or/client> -keystore <keystore_name>.jks -storepass <password> -file <server/or/client>certreq.csr
   

3. Generate the certificate by submitting the CSR generated in the preceding step to a CA.
   1. Access the link to the CA of your choice.

      For example, if you are using MSCA, then the link will be similar to:

      http://<IP_Address_of_the_CA>/certsrv/

   2. Navigate to the link to create and submit the certificate request.

      For example, if you are using MSCA, then under Select a task section, click the Request a certificate option, then advanced certificate request option, and then the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file option (or if you are renewing the certificate, then submit a renewal request by using a base-64-encoded PKCS #7 file). Finally, copy and paste the contents of <server/or/client>certreq.csr in the Base-64-encoded certificate request field and click Submit.

   3. Download the following files in the DER-encoded format:
      • Signed certificate as <server/or/client>cert.cer
      • Complete certficate chain as <server/or/client>cert.p7b
      • CA certficate as <server/or/client>cacert.cer
4. Import the certificate chain into the keystore.

   Use the following command to do so:

   %JAVA_HOME%/bin/keytool -import -keystore <server/or/client>keystore.jks -storepass <password> -file <server/or/client>certchain.p7b -alias <server/or/client>
   

5. Convert the certificates or keystore to the required formats using open source tools such as OpenSSL.
   • From DER Format
     • To convert DER format to PEM, use the following command:

       openssl x509 -inform der -in <server/or/client>cert.cer -out <server/or/client>cert.pem
       

     • To convert DER format to PKCS#12, first convert DER to PEM using the preceding command, and then convert PEM to PKCS#12 use the following command:

       openssl pkcs12 -export -out <server/or/client>cert.pfx -inkey privateKey.key -in <server/or/client>cert.cer -certfile <server/or/client>cacert.cer
       

   • From P7B Format
     • To convert P7B format to PEM, use the following command:

       openssl pkcs7 -print_certs -in <server/or/client>cert.p7b -out <server/or/client>cert.cer
       

     • To convert P7B format to PKCS#12, first convert P7B to PEM using the preceding command, and then convert PEM to PKCS#12 use the following command:

       openssl pkcs12 -export -in <server/or/client>cert.cer -inkey privateKey.key -out <server/or/client>cert.pfx -certfile <server/or/client>cacert.cer