To generate a Certificate Signing Request (CSR) you will first need to create a keystore for your Oracle system. Oracle systems such as Tomcat or Web Logic use keystores for its certificate web server configurations. If you lose your keystore file or your password to access it your SSL Certificate will no longer match and you will need to replace the certificate.
Note: Keystores created from an Oracle Keytool or Tomcat type environment can be heavily customized. Below are generalized instructions. The naming conventions of the files and alias names used can be specified to fit your own environment. You will need to adjust these instructions appropriately.
If you do not want to be thrown back into the stone age doing command line of a Keystore using keytool… there is a third party graphical tool that can be used instead. Follow SSLSupportDesk guide to keystore creation using our Portecle Guide.
In order to generate a keystore for various Oracle systems that utilize .jks keystores using Keytool perform the following instructions listed below.
Step 1: Create a Keystore:
- Create a certificate keystore and private key by executing the following command:
Note: You will specify a Privatekey Alias. This Alias will be used for CSR creation and eventually installation of the SSL Certificate.
keytool -genkey -alias create_Privatkey_Alias -keyalg RSA -keystore path_and_create_KeystoreFilename.jks -keysize 2048
- Enter and re-enter a keystore password.
Note: You will need to use this custom password later for installation and for what ever Oracle type system you plan on installing this keystore file. In addition, remember your Alias Name for your private key. You will require it for installation.
- Fill out the applicable information:
- First and Last Name? or Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.mydomain.com” or “company.com”.
- Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation
- Locality or City (L): The Locality field is the city or town name, for example: Boston
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: New York
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- Confirm or reject the details by typing “Yes” or “No” and press Enter.
Step 3: Creating your CSR from your keystore:
- The CSR is then created using the following command:
keytool -certreq -keyalg RSA -alias your_privatekey_alias -file your_csr_file.csr -keystore your_keystore_filename.jks
Your CSR request has been created and is ready for you to copy and paste its contents into the enrollment portal.
- Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
- To copy and paste the file your_csr_file.csr into the enrollment form or Reissue/Replace form. Open the file in a plain text editor such as notepad that does not add extra characters (Notepad or Vi are recommended).
Step 4: Installing your SSL Certificate.
When you get your SSL Certificate back from the CA you will then have to install the SSL Certificate and any extra chain Intermediate CA files given to you back into the original keystore used for CSR creation.
There are Two types of Installation for Keystores using keytool.
- If the CA gives you an x509 version of your SSL Certificate..
Follow Tomcat x509 SSL Installation steps 1, 2, & 3
- If the CA gives you a pkcs7 version of your SSL Certificate..
Follow Tomcat pkcs7 SSL Installation steps 1, 2, & 3
If all things go well with SSL Certificate installation after performing steps 1,2, & 3 of the respective installation strategies you are free to move and configure any systems where the .jks keystore is needed.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
For more information, please refer to Keytool Support