Chapter 4

Section 4.2

Operating SSL

KeyStores and TrustStores

For the following example, openssl is used to generate the PKCS12 KeyStore:

cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt

The existing key is in the file mykey.pem.txt in PEM format. The certificate is in mycertificate.pem.txt, which is also in PEM format. A text file must be created which contains the key followed by the certificate as follows:

openssl pkcs12 -export -in mykeycertificate.pem.txt -out mykeystore.pkcs12 -name myAlias -noiter -nomaciter

This command prompts the user for a password. The password is required. The KeyStore fails to work with JSSE without a password. This password must also be supplied as the password for the eWay’s KeyStore password (see Table 8 on page 50).

This command also uses the openssl pkcs12 command to generate a PKCS12 KeyStore with the private key and certificate. The generated KeyStore is mykeystore.pkcs12 with an entry specified by the myAlias alias. This entry contains the private key and the certificate provided by the -inargument. The noiter and nomaciter options must be specified to allow the generated KeyStore to be recognized properly by JSSE.

4.2.3TrustStores

Creating a TrustStore

For demonstration purposes, suppose you have the following CAs that you trust: firstCA.cert, secondCA.cert, thirdCA.cert, located in the directory C:\cascerts. You can create a new TrustStore consisting of these three trusted certificates.

To create a new TrustStore

Use the following command:

keytool -import -file C:\cascerts\firstCA.cert -alias firstCA -keystore myTrustStore

You must enter this command two more times, but for the second and third entries, substitute secondCA and thirdCA for firstCA. Each of these command entries has the following purposes:

1The first entry creates a KeyStore file name myTrustStore in the current working directory and imports the firstCA certificate into the TrustStore with an alias of firstCA. The format of myTrustStore is JKS.

2For the second entry, substitute secondCA to import the secondCA certificate into the TrustStore, myTrustStore.

3For the third entry, substitute thirdCA to import the thirdCA certificate into the TrustStore.

Once completed, myTrustStore is available to be used as the TrustStore for the eWay.

Using an Existing TrustStore

This section explains how to use an existing TrustStore such as the default Logical Host TrustStore in the location:

HTTPS eWay Adapter User’s Guide

32

Sun Microsystems, Inc.

Page 31 Page 33
Page 32
Image 32
Sun Microsystems 5.1.1 manual TrustStores, Creating a TrustStore, Using an Existing TrustStore, To create a new TrustStore
Page 31 Page 33
Top Page Image Contents