InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.1: The CFWK tools for certificate and key management >
5.5.6.1.5: Example: generating and using testcertificates

5.5.6.1.5: Example: generating and using test certificates

The following sequence of commands illustrates how to create a test CA, use the test CA to generate test certificates for a server, and put the necessary information into a keyring class. This example uses the default password ("WebAS") for the vault and the keyring class, and writes to the default keyring class (com.ibm.websphere.DummyKeyring).

Setting the classpath

To use the certificate-management tools, you must put the files cfwk.zip and cfwk-tools.zip at the front of your classpath. These files are located in the AppServer/lib directory of the WebSphere installation. For example, on Windows NT, set the CLASSPATH variable as shown:

set classpath=<WS-install>\AppServer\lib\cfwk.zip;<WS-install>\AppServer\lib\cfwk-tools.zip;%CLASSPATH%

Creating the keys, certificates, and files

Create a pair of keys for the test CA, called "TestCA."

% java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4"
D:\projects\websphere\keyrings\WebAS.TestCA.key

Create a pair of keys for the test server, called "TestServer."

% java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4"
D:\projects\websphere\keyrings\WebAS.TestServer.key

Create a self-signed certificate for the test CA and place it in the file called WebAS.TestCA.cert. This uses the CA's keys from the WebAS.TestCA.key file created above.

% java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y
--issuer "cn=WebAS Test CA, OU=SWG, O=IBM, c=US"
--sign-alg "MD5 with RSA"
--sign-key d:\projects\websphere\keyrings\WebAS.TestCA.key
--cert-file d:\projects\websphere\keyrings\WebAS.TestCA.cert

Create a certificate for the TestServer using the server's key (in the file WebAS.TestServer.key), signed by the CA's key (in the file WebAS.TestCA.key). Put the new certificate in a file called WebAS.TestServer.cert.

% java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y
--issuer "cn=WebAS Test CA, OU=SWG, O=IBM, c=US"
--subject "cn=WebAS Test Server, OU=SWG, O=IBM, c=US"
--sign-alg "MD5 with RSA"
--sign-key d:\projects\websphere\keyrings\WebAS.TestCA.key
--subject-key d:\projects\websphere\keyrings\WebAS.TestServer.key
--cert-file d:\projects\websphere\keyrings\WebAS.TestServer.cert

Add the private key of the server to the vault. The vault is stored in the file WebAS.Test.Vault.vlt.

% java com.ibm.cfwk.tools.VaultTool --password "WebAS"
d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt
add private key
WebAStestServer 00-hex d:\projects\websphere\keyrings\WebAS.TestServer.key

Add the certificate chain for the server to the vault. This chain includes the certificates for the server and for the CA that signed the server's certificate (from the files WebAS.TestServer.cert and WebAS.TestCA.cert, respectively).

% java com.ibm.cfwk.tools.VaultTool --password "WebAS"
d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt
add public chain
WebAStestServer 00-hex d:\projects\websphere\keyrings\WebAS.TestServer.cert
d:\projects\websphere\keyrings\WebAS.TestCA.cert

Add the CA's self-signed certificate (WebAS.TestCA.cert) to the vault.

% java com.ibm.cfwk.tools.VaultTool --password "WebAS"
d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt
add public cert
WebAStestCA 00-hex d:\projects\websphere\keyrings\WebAS.TestCA.cert

Export the information about the TestCA and the TestServer from the vault to a keyring class (the default DummyKeyring).

% java com.ibm.cfwk.tools.VaultTool --password "WebAS"
d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt
container -p "WebAS"
com.ibm.websphere.DummyKeyring WebAStestServer WebAStestCA

Note   The keyring class is written to the current directory, regardless of the specified Java package name. You must copy it to a location corresponding to the Java package. For example, keyring class name is com.ibm.websphere.DummyKeyring, the file must be moved to the com/ibm/websphere directory and that directory must be on the CLASSPATH variable.

Go to previous article: VaultTool Go to next article: The iKeyman tool

 

 
Go to previous article: VaultTool Go to next article: The iKeyman tool