Creating a New SSL Certificate Using Keytool

Following page demonstrate step-by-step instructions for creating an SSL certificate. An SSL certificate can be purchased from a certificate authority (CA). You can use any CA that supports a certificate for Java/Tomcat.

Prerequisite:

Java SDK 1.8 or above must be installed before you can generate your CSR. Once installed, you will be using the "keytool" command to create your key pair and CSR.

Steps

Very Important

We strongly recommend running the following commands in a clean folder that does not have any files. A very common problem that users run into occurs when the first command is run in folderA and third is run in folderB.

We also recommend adding keytool in your $PATH variable so you don't have to explicitly type the location where it is saved.
Generating a private/public key pair
  1. Open a console (DOS prompt) on Windows or Terminal on Linux/Unix.
  2. Enter the following command.
    keytool -keysize 2048 -genkey -alias xeams -keyalg RSA -keystore synametrics.cert
    
  3. You will be prompted for a password. You will need this password later on.
  4. Enter Distinguished Name (DN) information:
    • First and last name - This is the Common name: The common name is the fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.
    • Organizational unit - Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
    • City/Locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
    • State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
    • Country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
  5. Confirm that the Distinguished Name information is correct.

This steps creates a keystore, which is a file that holds certificates.

Generating a CSR

Next step is to submit a CSR (SSL Certificate Signing Request) to a certificate authority.
  1. Enter the following command:
    keytool -certreq -keyalg RSA -alias xeams -file xeams.csr -keystore synametrics.cert
    
  2. Enter the keystore password you specified earlier.
  3. This creates a new file called xeams.csr. Open this file in any editor like Notepad.
  4. Cut/copy and paste the generated CSR into enrollment form of your certificate authority.
  5. Select Tomcat as your server software.


Submitting CSR and waiting for response

Once you submit a CSR to a certificate authority, you have to wait for their response. It could take anywhere from a few minutes to up to two days before you get a response. The response from the certificate authority typically includes an attached file containing your certificate. Some vendors also ask you to download the certificate from a secure website rather than emailing them to you.

You will probably get more than one file from the certificate authority. An SSL certificate creates a trust relationship by creating a chain of certificates. This is analogous to saying that you trust person A, but not C. However, person A trusts person B, who then trusts C. Therefore, it is okay to trust C.

Every file you get from a certificate authority must be added to the keystore you create in the first step.

Adding certificates to the keystore

You must add certificates in the order specified by the certificate authority. The following example shows how to add a root certificate, two intermediate certificates, and finally the actual certificate that is create for you.

Importing Root Certificate

keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore synametrics.cert


Now add two intermediary certificates. Replace File1 and File2 with actual values provided to you.
keytool -import -trustcacerts -alias Alias1 -file File1.crt -keystore synametrics.cert
keytool -import -trustcacerts -alias Alias2 -file File2.crt -keystore synametrics.cert
Finally, add the actual certificate that is meant for your copy of Xeams using the following command.
keytool -import -trustcacerts -alias xeams -file yourCertificate.crt -keystore synametrics.cert
Final Step

  • Connect to your Admin Console as admin
  • Click Manage SSL Certificate under Server Configuration.
  • Ensure the file name is correct
  • Enter the password you used for the keystore
  • Save and restart Xeams.