Creating a keystore and importing your certificate

A keystore file is a special type of file that stores information about security certificates. The following procedure outlines the process for creating a Java Key Store (JKS) with a certificate signed by a Certificate Authority. If you purchased your security certificate from a commercial CA, such as VeriSign, consult the documentation they provide for information on configuring your keystore. If your certificate is in a format that cannot be imported into a keystore (e.g. PKCS12), and you cannot convert it to the PEM format, contact ACL Support Services for assistance with configuring the certificate in Geronimo.

In order to use the keytool command without specifying the full path each time you use it, you need to add the Java bin subdirectory your path. You can do this permanently by updating the Path Environment Variable to include the full path to the Java bin subdirectory, or add it temporarily on the command line using the following syntax:

Set PATH=<java_bin_path>;%PATH%

For example:

Set PATH=C:\Program Files\Java\jdk1.7.0_67\bin\;%PATH%

To configure a new keystore with an SSL certificate:

  1. Select Start > Run and type cmd to open a command prompt on the server.
  2. Use the following syntax to create the new keystore with a self-signed certificate:

    keytool -genkey -alias <alias> -keyalg RSA -keystore <keystore_filename>

  3. Create a certificate signing request using the following syntax, and then send the certificate request to the Certificate Authority you are using.

    keytool -certreq -alias <alias> -keyalg RSA -file <csr_output_file> -keystore <keystore_filename>

  4. Depending on the CA you are using you may need to import an intermediate certificate and/or root certificate into your keystore. Use the following syntax to import one or both of these certificates:

    keytool -import -alias <alias> -keystore <keystore_filename> -trustcacerts -file <certificate_filename>

    If you are importing both certificates the alias specified for each certificate should be unique. You need to first import the root certificate, and then run the keytool command again to import the intermediate certificate.

  5. Use the following syntax to import your security certificate:

    keytool -import -alias <alias> -keystore <keystore_filename> -trustcacerts -file <certificate_filename>

    The alias specified must be the same value specified in step 2 when you generated the keystore. The imported certificate will replace the default self-signed certificate created in the keystore.

  6. Copy the keystore file to the geronimo\var\security\keystores subfolder.

(C) 2015 ACL Services Ltd. All Rights Reserved.