Other certificates
Certificates that are needed for other functions are managed differently.
-
Use the Security Proxy Wizard to manage the Security Proxy certificate.
-
To generate other self-signed certificates or to import signed certificates to the Security Proxy, clients, or host systems, use the certificate features in those components.
-
Use the HTTPS Certificate Utility to administer web certificates (for use with Tomcat) or to generate a Certificate Signing Request (CSR).
HTTPS Certificate Utility
This utility installs or updates a certificate for the HTTP server functionality that is included with Management and Security Server (from the Start menu). This certificate enables clients to establish secure connections (HTTPS) to the services provided by the Management and Security Server.
The HTTPS Certificate Utility also provides the option to create a private key and a Certificate Signing Request (CSR).
How to Generate a Certificate Signing Request (CSR)
A Certificate Signing Request or CSR is a block of encoded text that is given to a Certificate Authority (CA) when applying for an SSL Certificate. The CSR includes identity information and a public key. A CA verifies the identity of the server's domain name and its owner and then adds a signature to the certificate to verify the server's authenticity to other computers.
The Certificate Authority uses a CSR to create your SSL certificate, but it does not need your private key. Keep your private key secret.
Choose a method to generate a CSR and obtain a CA-signed certificate:
- Use the HTTPS Certificate Utility
- Use a Certificate Authority’s Instructions
- Use Commands for Keytool or Openssl Tool
Use the HTTPS Certificate Utility
To generate a CSR and a new private key:
-
Open the HTTPS Certificate Utility from the Start menu. (It installs with Management and Security Server.)
-
Proceed through the utility, and review your previous actions, if pertinent.
-
On the Select a certificate action screen, select Generate a new key pair and Certificate Signing Request.
-
Proceed through the screens to specify information for the certificate:
- a Friendly Name
- a Common Name
- the certificate's organization and locality
- the certificate's validity and key length
- the directory that will store the private key and the CSR
- the certificate store's File name, File type, and Password that will be used to store the private key and the CSR
-
Note the Next steps and Quit the HTTPS Certificate Utility.
-
Leave the HTTPS Certificate Utility and send the
*.csr
file from the directory you specified to the Certificate Authority (CA) of your choice. Do not send your private key. -
When the signed SSL certificate is received from the CA (response time varies), return to the HTTPS Certificate Utility to import the certificate together with the private key that was generated in the previous steps.
-
Proceed to the Select a certificate action screen, and select Import a certificate and private key.
-
Enter the certificate store file name that you previously specified.
-
Enter the keystore's password.
-
Click Next to apply the configuration changes. Click Done to close the utility.
Use a Certificate Authority’s Instructions
To generate a CSR and obtain a CA-signed certificate, choose a CA, follow their instructions, and use the tools they provide. Examples include - DigiCert, GeoTrust, and Thawte.
CAs provide detailed instructions for common tools such as keytool and openssl. Some have their own tools that you can download. Creating a CSR can also be done completely online. For example, see SSL Tools.
Use Commands for Keytool or Openssl Tool
If you are unable to use the HTTPS Certificate Utility or follow the instructions from a CA, you can use the manual keytool commands for CSR to perform the three steps: generate a key, generate a CSR, and import the response from the CA.
From the mss/server
folder, run the following commands.
-
Generate a key:
../jre/bin/keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.bcfks \
-storetype bcfks -providername BCFIPS -providerpath ./lib/bc-fips-*.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-
Generate a CSR:
../jre/bin/keytool -certreq -alias server -keyalg RSA -file server.csr -keystore keystore.bcfks \
-storetype bcfks -providername BCFIPS -providerpath ./lib/bc-fips-*.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-
Import the response from the CA:
../jre/bin/keytool -importcert -trustcacerts -file careply -keystore keystore.bcfks \
-storetype bcfks -providername BCFIPS -providerpath ./lib/bc-fips-*.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Or, you can use the openssl tool to generate CSRs and keys in two steps:
-
Generate a key and a CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
-
Import the response from the CA:
openssl pkcs12 -export -out keystore.p12 -in careply -inkey server.key