15.2. Generate encryption keys and certificate
15.2.1. Generate a self-signed certificate with keytool
15.2.1.1. Generate a key pair
localhost.keystore
. You will need to make this key store available to the EJB3 invoker on the server. The key pair in our example will be saved in the key store under the alias 'ejb-ssl'. We will need this key alias, and the key pair password you supply (if any), when configuring the EJB3 Remoting connector in Create a secure remoting connector for RMI .
Procedure 15.1. Generate a new key pair and add it to the key store "localhost.keystore" in the JBoss server conf directory.
- The following command will create a key pair for use with SSL encryption:
keytool -genkey -alias ejb-ssl -keystore localhost.keystore -storepass KEYSTORE_PASSWORD -keypass EJB-SSL_KEYPAIR_PASSWORD -dname "CN=SERVER_NAME,OU=QE,O=example.com,L=Brno,C=CZ"
Result:A key pair will be added to the key store
localhost.keystore
under the aliasejb-ssl
.The parameters for this command are explained inkeytool
parameters
keytool
parameters
- alias
- An alphanumeric token used to identify the key pair within the key store. A key store can contain multiple keys. The alias provides a means to uniquely identify a key pair within a key store. The alias for a key pair must by unique within a key store.
- keystore
- The key store that will be used to store the key pair. This can be a relative or absolute file path.
- storepass
- The password for key store. If the key store already exists, this must be the existing password for the key store. If the key store specified does not already exist, it will be created and this password will be the new password. This password is needed to access the key store to retrieve or store keys and certificates.
- keypass
- The password for the new key pair. This password must be supplied to use the key pair in the future.
- dname
- The identifying details of the certificate.
- CN
- Common Name: the name of the server. This must match the server name as returned to clients in a JNDI lookup. If a client attempts to make an SSL connection to the server using one name from JNDI, and receives a certificate with a different name, the connection will fail.
- OU
- Organizational Unit: the name of the organizational unit that is responsible for the server.
- O
- Organization: The name of the organization, sometimes expressed as a URL.
- L
- Location: the location of the server.
- C
- Country: two letter country code
Note
keytool
adds the key pair to a new key store called keystore
in the current user's home directory. This key store file is a hidden file.
15.2.1.2. Export a self-signed certificate
ejb-ssl
key from the key store named localhost.keystore
.
Procedure 15.2. Export a certificate
- Issue the following command:
keytool -export -alias ejb-ssl -file mycert.cer -keystore localhost.keystore
- Enter the key store passwordResult:
A certificate is exported to the file
mycert.cer
.