Configuring Rational Change to use SSL certificates signed by a certifying authority

If the SSL data exchange is among already trusted partners who trust your identity, self-signed certificates may be adequate. However, a certificate is more likely to be trusted by others when it is signed by a certifying authority (CA).

Before you begin

Generate the keystore files.

Procedure

  1. Generate a Certificate Signing Request (CSR).

    Before ordering SSL certificates, you must generate a CSR, an encrypted body of text, on your server. Your CSR contains encoded information specific to your company and domain name.

    Use this command to generate a CSR, using the PKCS#10 format.

    keytool -certreq -v -keystore keystore_file -alias machinename –file certreq_file

    For example:

    keytool -certreq -v -keystore "/usr/local/rc53/rc.keystore" -alias hawk -file rc.csr

    A CSR is sent to a CA. The CA authenticates the certificate requestor offline and returns a certificate or certificate chain. Use this certificate or certificate chain to replace the existing certificate chain (which consists of a self-signed certificate) in the keystore.

  2. Replace your self-signed certificate with a certificate or certificate chain returned by the CA.
    1. Import the entire trusted CA certificates to your keystore providing unique alias names.

      These certificates are used to authenticate the public key of the CA.

      keytool -import -v -trustcacerts -alias unique_alias -file CA_certificate_file -keystore keystore_file

      For example:

      keytool -import -v -trustcacerts -alias root1 -file root1.certificate -keystore "/usr/local/rc53/rc.keystore"

    2. Import the certificate that the CA returned by typing this command.

      keytool -import -v -alias unique_alias -file your_certificate_file -keystore keystore_file

      Note: This command does not contain the -trustcacerts argument.

      For example:

      keytool -import -v -alias rcCertificate -file rc.certificate -keystore "/usr/local/rc53/rc.keystore"

What to do next

Modify the web server.

Feedback