At this point in the
procedure, the keystore contains a private key and a X.509 self-signed
certificate. If the RDU tries to respond with this certificate to a client’s
initial handshake, the client will reject the certificate with a TLS alert bad
CA, indicating that the certificate authority that the client trusted did not
sign the certificate. Therefore, the signing authority that the client trusts
must sign the certificate.
To support SSL, the clients
must have a list of preconfigured public certificates of signing authorities
that they trust.
keytool -certreq command
parameter generates a certificate-signing request (CSR). This command generates
the CSR in the industry standard PKCS#10 format.
The following example uses a
keystore with a pre-existing self-signed certificate under
rducert to generate a
certificate-signing request and output the request into the train-1.csr file.
# ./keytool -alias rducert -certreq -file /opt/CSCObac/lib/security/rducert.csr -storetype JCEKS -keystore /opt/CSCObac/lib/security/.keystore
Enter keystore password: changeit
The next step is to submit
the CSR file to your signing authority. Your signing authority or your
administrator, who is in possession of the private key for the signing
authority, will generate a signed certificate based on this request. From the
administrator, you must also obtain the public certificate of the signing
Verifying the Signed
After you have received the
signed certificate, use the
command to verify if the self-signed certificate is in the correct file format
and uses the correct owner and issuer fields. The command reads the certificate
cert_file parameter, and
prints its contents in a human-readable format.
file in this example identifies the signed certificate that the
# ./keytool -printcert -file rootCA.crt
Owner: CN=BAC Testing, OU=NMTG, O=Cisco Systems Inc., L=Bangalore, ST=KAR, C=IN
Issuer: CN=BAC Testing, OU=NMTG, O=Cisco Systems Inc., L=Bangalore, ST=KAR, C=IN
Serial number: 50331e4f
Valid from: Tue Aug 21 11:06:15 IST 2012 until: Mon Nov 19 11:06:15 IST 2012
Signature algorithm name: SHA1withRSA
The keytool can print X.509
v1, v2, and v3 certificates, and PKCS#7-formatted certificate chains comprising
certificates of that type. The data to be printed must be provided in
binary-encoding format, or in printable-encoding format (also known as Base64
encoding) as defined by the RFC 1421.