Keystore and Certificate Generation
The topic discusses the following methods of certificate generation.
- Generate Self-Signed Certificate
- Generate CA signed Certificate
You may choose the method as required.
Generate Self-Signed Certificate
Generate a self-signed Certificate for xml signature verification purposes.
A Java KeyStore (JKS) is a repository for security certificates – either authorization certificates or public key certificates – plus corresponding private keys used in SSL encryption. Use a tool for public/private key generation.
keytool is one of the utilities to generate a new public/private keypair in the default keystore file. Oracle has a good reference at the URL: https://docs.oracle.com/cd/E19798- 01/821-1841/gjrgy/
Complete the following steps to generate and upload the Keystore file:
-
Execute the keytool command to generate a new keypair in the keystore file with keysize 2048, signature algorithm SHA256withRSA and storetype PKCS.
-
The generated keystore file contains both private and certificate information. For IDP we need only certificate information, so extract the certificate information from the keystore file by executing the export command.
Execute the command to export the keystore (keystore.jks) to extract the certificate information into a file (.crt); ensure that you add the same alias and password used for keystore generation.
-
Upload the generated file keystore.jks file on AE UI SSO configuration settings. And the certificate information file, for example, client.crt file on IDP configuration settings.
Generate CA Signed Certificate
Configure Tomcat with TLS(HTTPS). For details, see:
- Apache Tomcat documentation,
https://tomcat.apache.org/tomcat-9.0-doc/index.html - Apache Tomcat SSL/TLS Configuration,
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
During TLS configurations, generate a new keypair in the keystore file keysize 2048, signature algorithm SHA256withRSA and storetype PKCS.
Upload the generated file keystore.jks file on AE UI SSO configuration settings and the issued certificate file (.crt or any file type supported by IDP) on IDP configuration settings.