To configure your SSL server you create a server key ring
and certificate, export the server's signer certificate, and
transfer the server certificate to the client.
Create a server key ring and server certificate
Issue
the following command to create both the KeyStore and certificate:
keytool -genkey -alias aliasname -keysize numericvalue -dname distname
-keystore location -keypass password -storepass password
-keyalg algorithm
The options are:
- -genkey
- Generates a key pair and wraps the public key into a self-signed
certificate.
- -alias aliasname
- Defines the alias name that identifies the store containing the
self-signed certificate and private key.
- -keysize numericvalue
- Defines the size of the key.
- -dname distname
- Specifies the X.500 distinguished name to be associated with the
alias. This is used as the issuer and subject fields of the self-signed
certificate. The distinguished name consists of a number of fields
separated by commas in the following format:
Each strvalue is
a string value. The meaning of the abbreviations is as follows:
- cn = common name
- o = organization
- ou = organization unit
- l = city/locality
- s = state/province
- c = country name
An example of an X.500 distinguished name is shown here: Figure 1. An X.500 distinguished name"cn=someserver.location.ibm.com,o=IBM,ou=IBMGB,
l=Winchester,s=Hants,c=GB"
- -keystore location
- The key ring file
location. For example: ktserverss.jks
- -keypass password
- The password used to protect the private key. Set
this to the same value as the -storepass password,
to enable the CICS Transaction Gateway to
establish a connection over SSL.
- -storepass password
- The password used to protect the integrity of the key ring. Set
this to the same value as the -keypass password,
to enable the CICS Transaction Gateway to
establish a connection over SSL.
- -keyalg algorithm
- The algorithm to be used to generate the key pair.
An example
of this command is shown here:
Figure 2. Using
the keytool command
to create a key ring containing
a single self-signed certificatekeytool -genkey -alias exampleServerCert -keysize 1024
-dname "cn=vmware2.location.ibm.com,o=IBM,ou=IBMGB,l=Winchester,s=Hants,c=GB"
-keystore ktserverss.jks -keypass default -storepass default
-keyalg RSA
View the newly created certificate
Use
a command similar to the following to view all certificates in the
key ring,
including the one you just created:
keytool -list -keystore storename -storepass password -v
Where
the options are:
- -list
- List the contents of the key ring.
- -keystore storename
- The name of the key ring containing
the certificates you want to view.
- -storepass password
- The password needed to access the key ring.
- -v
- Show details of the certificates in the key ring.
An example of the
keytool command
to view certificates is shown here:
Figure 3. Using
the keytool command
to view certificateskeytool -list -keystore ktserverss.jks -storepass default -v
Export the server's signer certificatd
The
next step is to export the signer certificate and store it in a safe
place. This can then be imported into the repository of any client
that needs to connect to this SSL server.
The certificate is exported
by using the following instance of the
keytool command:
keytool -export -alias aliasname -keystore location
-storepass password -file filename -rfc
Where the options are:
- -export
- Export a certificate.
- -alias aliasname
- Name of the key (in the key ring)
to export.
- -keystore location
- The key ring location.
- -storepass password
- The password used to protect the integrity of the key ring.
- -file filename
- The name of the file to export the certificate to.
- -rfc
- Export the certificate in RFC format (Base64 encoded ASCII).
An example
of the
keytool command
to export a signer certificate is shown here:
Figure 4. Using
the keytool command
to export the signer certificatekeytool -export -alias exampleServerCert -keystore ktserverss.jks -storepass default
-file exampleServerCertKT.arm -rfc
Transfer the server certificate to the client
If
you use FTP to transfer the file, ensure that your FTP client is in ASCII mode.