Setting Up a Server Certificate
Certificates are used with the HTTPS protocol to authenticate Web clients. The HTTPS service of the J2EE server will not run unless a server certificate has been installed. Use the following procedure to set up a J2EE server certificate.
- Generate a key pair and a self-signed certificate.
keytoolutility enables you to create the certificate. The
keytoolutility that ships with the J2EE SDK has the same syntax as the one that ships with the J2SE software. However, the J2EE SDK version programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
- To generate the certificate, run the
keytoolutility as follows, substituting
>with the alias of your certificate and <
keystore-filename> with the name of your keystore file:keytool -genkey -keyalg RSA -alias <
certificate-alias> -keystore <
keytoolutility prompts you for the following information:
- Keystore password: Enter a password. (You may want to use "
changeit" to be consistent with the default password of the J2EE SDK keystore.)
- First and last name: Enter the fully qualified name of your server. This fully-qualified name includes the host name and the domain name.
- Organizational unit: Enter the appropriate value.
- Organization: Enter the appropriate value.
- City or locality: Enter the appropriate value.
- State or province: Enter the unabbreviated name.
- Two-letter country code: For the USA, the two-letter country code is US.
- Key password for alias: Do not enter a password. Press the Return key.
- Import the certificate.
- If your certificate will be signed by a CA other than Verisign, you must import the CA certificate. Otherwise, you may skip this step. (Even if your certificate will be signed by Verisign Test CA, you must import it.)
- To import the certificate, perform these tasks:
- Request the CA certificate from your CA. Store the certificate in a file.
- To install the CA certificate in the Java 2 Platform, Standard Edition, run the
keytoolutility as follows. (You must have the required permissions to modify the
$JAVA_HOME/jre/lib/security/cacertsfile.)keytool -import -trustcacerts -alias <
ca-cert-alias> -file <
- If you want to have your certificate digitally signed by a CA, do the following:
- Generate a Certificate Signing Request (CSR).keytool -certreq -sigalg MD5withRSA -alias <
cert-alias> -file <
- Send the contents of the
>for signing. If you are using Verisign CA, go to
http://digitalid.verisign.com/. Verisign will send the signed certificate via e-mail. Store this certificate in a file.
- Import the signed certificate that you received in email into the server:keytool -import -alias <
cert-alias> -file <