Generating keystores and certificates for DWA
About this task
To enable DWA to use SSL or TLS, you need a keystore that contains a security certificate. You can purchase a keystore and certificate from a trusted certificate authority. Or for testing purposes, you can generate a keystore and certificate by using the Oracle Corporation Java™ keytool utility. As an alternative to that utility, you can use many resources on the Internet to create a certificate and install it on the Apache Tomcat server.
Keytool is a key and certificate management utility that is included with Java SE capability. Keys ensure data integrity and enable authentication services by using digital signatures. Certificates are digitally signed statements that indicate that the public keys and related information of an entity have a particular value. When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Key certificates can be cached for an application's communicating peers.
The -genkeypair command in the keytool utility generates a key pair. The key pair includes a public key and associated private key. The -genkeypair command wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry that is identified by an alias.
Procedure
To create a keystore and certificate, type the keytool command, as shown in this example:
keytool -genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg}
where- alias identifies the keystore entry for the certificate chain and the private key that are generated by this command.
- keysize specifies the size of each key that is generated. Set the keysize to at least 112 bits. If possible, set it to 2048 bits.
- keyalg specifies the algorithm that is used to generate the key pair. Set the keyalg algorithm to RSA.
- sigalg specifies the algorithm that is used to sign the self-signed certificate; this algorithm must be compatible with keyalg. Set the -sigalg argument to be a valid SHA2 value. For example, if RSA is the value that is used with the -keyalg argument for the keytool command, use -sigalg SHA256withRSA. SHA384 and SHA512 are also valid values.