Chapter 4

Section 4.2

Operating SSL

KeyStores and TrustStores

This command generates a certificate signing request which can be provided to a CA for a certificate request. The file client.csr contains the CSR in PEM format.

Some CA (one trusted by the Web server to which the eWay is connecting) must sign the CSR. The CA generates a certificate for the corresponding CSR and signs the certificate with its private key. For more information, visit the following web sites:

http://www.thawte.com

or

http://www.verisign.com

If the certificate is chained with the CA’s certificate, perform step 1; otherwise, perform step 2 in the following list:

1The following command assumes the client certificate is in the file client.cer and the CA’s certificate is in the file CARoot.cer:

keytool -import -keystore clientstore -file client.cer -alias client

This command imports the certificate (which can include more than one CA in addition to the Client’s certificate).

Also use the following command to import the CA’s certificate into the KeyStore for chaining with the client’s certificate:

keytool -import -keystore clientkeystore -file CARootcer -alias theCARoot

2The following command imports the client’s certificate signed by the CA whose certificate was imported in the preceding step:

keytool -import -keystore clientkeystore -file client.cer -alias client

The generated file clientkeystore contains the client’s private key and the associated certificate chain used for client authentication and signing. The KeyStore and/or clientkeystore, can then be used as the eWay’s KeyStore.

See the “KeyStores” on page 29 for more information.

Creating a KeyStore in PKCS12 Format

This section explains how to create a PKCS12 KeyStore to work with JSSE. In a real working environment, a customer could already have an existing private key and certificate (signed by a known CA). In this case, JKS format can not be used, because it does not allow the user to import/export the private key through keytool. It is necessary to generate a PKCS12 database consisting of the private key and its certificate.

The generated PKCS12 database can then be used as the eWay’s KeyStore. The keytool utility is currently lacking the ability to write to a PKCS12 database. However, it can read from a PKCS12 database.

Note: There are additional third-party tools available for generating PKCS12 certificates, if you want to use a different tool.

HTTPS eWay Adapter User’s Guide

31

Sun Microsystems, Inc.

Page 31
Image 31
Sun Microsystems 5.1.1 manual Creating a KeyStore in PKCS12 Format