Process for Creating Self-Signed Server Certificate
Generate a New Certificate
Generate a new certificate for use with the Secure Sockets Layer protocol’s public key encryption using the command:
% <JDKInstallDir>/bin/keytool -genkeypair -alias myname -storetype PKCS12 -keystore <ServerInstallDir>/data/tls/certificate.p12 -keyalg RSA
|
Parameter
|
Description
|
|---|---|
|
genkeypair
|
This parameter specifies to generate a new key pair.
|
|
alias
|
This parameter specifies a name to associate with the new key entry in the keystore.
|
|
storetype
|
This parameter specifies the format of the keystore. An example of the keystore type is PKCS12.
|
|
keystore
|
This parameter specifies the pathname to the keystore.
|
|
keyalg
|
This parameter specifies the algorithm to be used to generate the key pair. For example, RSA.
|
 |
At command run, you are prompted to specify additional information, such as, keystore and the certificate passwords. For more information on the additional information , see the keytool documentation https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html.
|
Generate a Certificate Signing Request
To generate a certificate signing request (CSR), and then send the request to a CA, use the command:
% <JDKInstallDir>/bin/keytool -certreq -alias myname -storetype PKCS12 -keystore <ServerInstallDir>/data/tls/certificate.p12 -file data/tls/certificate.csr
|
Parameter
|
Description
|
|---|---|
|
certreq
|
This parameter specifies the process to generate a CSR
|
|
alias
|
This parameter specifies the name of an existing entry in the store that is used to create a CSR. This name is the name specified in the previous step.
|
|
file
|
This parameter specifies the path of the file where CSR resides.
|
The CSR must include the following information:
• Keystore password
• First and last name — This should be the fully-qualified domain name of the host machine.
• Organizational unit or department name
• Organization name
• City or locality
• State or province
• Two-letter country code, for example, CA or US
• Key pair password if the password is different from the keystore password
Retrieving the Signed Certificate
When the signed certificate from the CA is retrieved, ensure that the certificate has any of these formats: DER encoded binary X.509 (.der / .cer), Base-64 encoded X.509 (.pem / .cer) or PKCS #7 Certificate (.p7b). Ensure that all the certificates in the certification path are in the format mentioned. If Verisign Custom Root CA or Custom Intermediate CA is used, do one of the following:
• Import the custom Root CA or custom Intermediate CA certificates into the certificate.p12 keystore using the following command.
<JDKInstallDir>/bin/keytool –importcert –alias <alias> -storetype PKCS12 –keystore <ServerInstallDir>/data/tls/certificate.p12 –file <custom_ca_certificate>
where
◦ -importcert — specifies the process to import the certificate response.
◦ -alias — specifies the name of the existing key entry in the keystore. This name is the name specified in the previous step.
◦ -file — specifies the path from where the CA response can be obtained.
• Obtain a PKCS #7 Certificate (.p7b), when the signed server certificate is retrieved.
If any custom Root CA or custom Intermediate CA is used, import them into the jssecacerts keystore of the Windchill JDK environment, for example:
% <JDKInstallDir>/bin/keytool –importcert –alias <alias> –keystore <JDKInstallDir>/lib/security/jssecacerts –file <custom_ca_certificate>
where
• -importcert — specifies to import the certificate response.
• -alias — specifies the name of the existing key entry in the keystore. This name is the name specified in the previous step.
• -file — specifies the path from where the CA response is read.
|
|
• The command prompts for a keystore password. If the jssecacerts keystore does not exist, any password may be entered as the initial password.
• If the Certification Authority (CA) has updated its own Root CA certificate or Intermediate CA certificates, they must be added to the jssecacerts keystore. All the relevant CA certificates must be present in the jssecacerts keystore.
|
Import the Certificate
To import the certificate into the keystore, use the command:
% <JDKInstallDir>/bin/keytool –importcert –alias myname -storetype PKCS12 –keystore /data/tls/certificate.p12 -file data/tls/certificate.pem
where
• -importcert — specifies the process to import the certificate response.
• -alias — specifies the name of the key entry in the keystore. This name is the name specified in the previous step.
• -file — specifies the path from which to read the CA response.
Importing Certificates from custom Root Certificate Authority
If any custom Root CA or custom Intermediate CA is used, the certificates must be imported into the jssecacerts keystore of the JDK environment of the Windchill client. The certificates must be imported before connecting to the Windchill server using the command:
% <JDKInstallDir>/bin/keytool –importcert –alias <alias> –keystore <JDKInstallDir>/lib/security/jssecacerts -file <custom_ca_certificate>