important points to note An Important Note before you Start Generate your private key at the same time as the CSR file is generated, and if you lose the private key or forget the private key password, the certificate is issued to you and cannot be installed successfully! You must regenerate the private key and the CSR file and reissue the new certificate for free. To avoid this situation, be sure to back up the private key file and remember the private key password after you generate the CSR, preferably by not moving the server before you receive the certificate. By far the most common problem users has the when going through this process are related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and would need to request a free Reissue. To ensure this never happens, we advise a backup of the private key file are made and that a note is made of the PASSW Ord that's used to protect the export of the private key. You can use "Keytool" to generate a private key and a CSR file, and if you do not have Keytool installed on your server, download the installation first: The utility "Keytool" that is the use of generate the private key (Keyentry) and the CSR comes with the Sun JDK Toolkit. If you don't have a JDK installed download it from the following Link:http://java.sun.com/j2se/downloads.html,we rec Ommend that the latest version was used, which is 1.5.0. The following is a guide to generating KeyStore and keyentry, and the Keystore,jks format for Tomcat to support JKS and PKCS#12 formats is the standard "Java keystore" format, generated using Keytool commands, and pkcs#12 can be converted by using the conversion tool in OpenSSL. This guide refers only to the JKS format of the Keytool method. The following sequence of commands would generate a keystore and keyentry. Tomcat currently supports JKS and pkcs#12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and are the format generated by the Keytool command-line utility Which is packaged in the JDK kit. The PKCS#12 format is a general format which can be converted using the OPENSSL Toolkit. The following instructions make use of Keytool only. 1. Generate KeyStore and Keyentry, Generate a keystore and Keyentry Use the following command, and refer to: Please type the following command at the prompt: keytool -genkey-alias [keyentry_name]-keyalg Rsa-keystore [Keystore_name] Note: If you do not specify a keystore name (without using parameter-keystore), the KeyStore file will be saved in your user directory (e.g. C:/Documents and Settings/your Name/.keystore), The file name is:. KeyStore Note:if Specify a KeyStore (-keystore omitted from the command) name, the KeyStore would be saved to your local Profile directory as a. keystore file (i.e C:/Documents and settings/your name/.keystore) You will be prompted to enter the KeyStore password, the default password is: Changeit, you can specify a new password, but be sure to remember. When you execute the This command, you'll be prompted for a keystore password. The default password used by Tomcat are "Changeit" although you can specify a password of your choice. Next, you'll be prompted "What's your fist and last name?", enter the domain name you want to apply for the SSL certificate, instead of actually entering your personal name, If you need to request an SSL certificate for www.domain.com, you cannot enter only domain.com. The SSL certificate is strictly bound to the domain name. The term ' first and last name ' is ' speak for the name ' distinguishes the certificate best, and ties it R Organization. Enter your exact host and domain name that is wish to secure. Example:if you wish to secure www.mydomain.com, then you'll need to enter the exact host (WWW) and domain name (mydomai n.com) in the This field. If you enter mydomain.com then the certificate issued to you would only work with error free on https://mydomain.com. It'll cause a certificate mismatch error when you or your users access the domain via https://www.mydomain.com. Next, enter your department name, unit name, city, province and country abbreviation (China Fill: CN, other countries to fill in its abbreviation), the unit name must be the same as the name on the supporting document, the department name (OU) can not be filled. Except the national abbreviation must fill CN, the rest can be in English or Chinese. Enter your country, state or province and locality or city. You should enter the company name as it appears in your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field, press ENTER on your keyboard. Finally, you are asked to enter the private key password, be sure to enter the same password for KeyStore and keyentry, or you will be prompted with an error message after you restart Tomcat: java.security.UnrecoverableKeyException: Cannot recover key. Also, be sure to remember the password! Finally, you'll be prompted to the Keyentry password, which is the password which protects the private key. Please specify the same password for the KeyStore and the keyentry or else you'll receive the following error message WH En you restart the Tomcat engine:java.security.UnrecoverableKeyException:Cannot recover key 2. Generate CSR, Generate the CSR Use the following command, and refer to: Please type the following command at the prompt: keytool -certreq-alias [keyentry name]-file request.csr-keystore [keystore name] The CSR file (REQUEST.CSR) is saved in the Jdk/bin directory, so that the public and private key pairs are generated, the private key (keyentry) is stored in the Jdk/bin directory, and the public key is issued with a wotrust signature. The CSR file is a text file, as shown in. The CSR'll is saved to your Jdk/bin directory. You has now created a public/private key pair. The private key (keyentry) is stored inside the keystore of the Jdk/bin directory and is used for decryption. The public portion are sent to wotrust in the form of a Certificate Signing Request (REQUEST.CSR), and would be used by your Users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this: 3. Backing up the private key file backup your private key Please back up your KeyStore file and write down the private key password. It is best to back up the private key file to a floppy disk or disc. Please backup your KeyStore file and make a note of the password. A good choice is to create a copy of the this file onto a diskette or other removeable media. 4. Test the CSR and issue the CSR to Wotrust, Start the certificate request process After the CSR is generated, it is recommended that you test the resulting CSR file correctly, and click here to test your CSR file. Please send the successful CSR file to Wotrust. Be sure not to move your server again, waiting for the certificate to be issued. To submit the CSR to wotrust for processing you should start the certificate enrollment process |