At this point in the procedure, the keystore contains a private key and a X.509 self-signed certificate. If the RDU tries to respond with this certificate to a client’s initial handshake, the client will reject the certificate with a TLS alert bad CA, indicating that the certificate authority that the client trusted did not sign the certificate. Therefore, the signing authority that the client trusts must sign the certificate.
To support SSL, the clients must have a list of preconfigured public certificates of signing authorities that they trust.
keytool -certreq command parameter generates a certificate-signing request (CSR). This command generates the CSR in the industry standard PKCS#10 format.
The following example uses a keystore with a pre-existing self-signed certificate under
rducert to generate a certificate-signing request and output the request into the train-1.csr file.
# ./keytool -alias rducert -certreq -file /opt/CSCObac/lib/security/rducert.csr -storetype JCEKS -keystore /opt/CSCObac/lib/security/.keystore
Enter keystore password: changeit
The next step is to submit the CSR file to your signing authority. Your signing authority or your administrator, who is in possession of the private key for the signing authority, will generate a signed certificate based on this request. From the administrator, you must also obtain the public certificate of the signing authority.
Verifying the Signed Certificate
After you have received the signed certificate, use the
keytool -printcert command to verify if the self-signed certificate is in the correct file format and uses the correct owner and issuer fields. The command reads the certificate from the
cert_file parameter, and prints its contents in a human-readable format.
rootCA.crt file in this example identifies the signed certificate that the administrator provides.
# ./keytool -printcert -file rootCA.crt
Owner: CN=BAC Testing, OU=NMTG, O=Cisco Systems Inc., L=Bangalore, ST=KAR, C=IN
Issuer: CN=BAC Testing, OU=NMTG, O=Cisco Systems Inc., L=Bangalore, ST=KAR, C=IN
Serial number: 50331e4f
Valid from: Tue Aug 21 11:06:15 IST 2012 until: Mon Nov 19 11:06:15 IST 2012
Signature algorithm name: SHA1withRSA
The keytool can print X.509 v1, v2, and v3 certificates, and PKCS#7-formatted certificate chains comprising certificates of that type. The data to be printed must be provided in binary-encoding format, or in printable-encoding format (also known as Base64 encoding) as defined by the RFC 1421.