InfoCenter Home > 5.5.6.1.5: Example: generating and using test certificatesThe following sequence of commands illustrates how to create a test CA, use the test CA to generate test certificates for a server, and put the necessary information into a keyring class. This example uses the default password ("WebAS") for the vault and the keyring class, and writes to the default keyring class (com.ibm.websphere.DummyKeyring). Setting the classpathTo use the certificate-management tools, you must put the files cfwk.zip and cfwk-tools.zip at the front of your classpath. These files are located in the AppServer/lib directory of the WebSphere installation. For example, on Windows NT, set the CLASSPATH variable as shown: set classpath=<WS-install>\AppServer\lib\cfwk.zip;<WS-install>\AppServer\lib\cfwk-tools.zip;%CLASSPATH% Creating the keys, certificates, and filesCreate a pair of keys for the test CA, called "TestCA." % java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" D:\projects\websphere\keyrings\WebAS.TestCA.key Create a pair of keys for the test server, called "TestServer." % java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" D:\projects\websphere\keyrings\WebAS.TestServer.key Create a self-signed certificate for the test CA and place it in the file called WebAS.TestCA.cert. This uses the CA's keys from the WebAS.TestCA.key file created above. % java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y --issuer "cn=WebAS Test CA, OU=SWG, O=IBM, c=US" --sign-alg "MD5 with RSA" --sign-key d:\projects\websphere\keyrings\WebAS.TestCA.key --cert-file d:\projects\websphere\keyrings\WebAS.TestCA.cert Create a certificate for the TestServer using the server's key (in the file WebAS.TestServer.key), signed by the CA's key (in the file WebAS.TestCA.key). Put the new certificate in a file called WebAS.TestServer.cert. % java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y --issuer "cn=WebAS Test CA, OU=SWG, O=IBM, c=US" --subject "cn=WebAS Test Server, OU=SWG, O=IBM, c=US" --sign-alg "MD5 with RSA" --sign-key d:\projects\websphere\keyrings\WebAS.TestCA.key --subject-key d:\projects\websphere\keyrings\WebAS.TestServer.key --cert-file d:\projects\websphere\keyrings\WebAS.TestServer.cert Add the private key of the server to the vault. The vault is stored in the file WebAS.Test.Vault.vlt. % java com.ibm.cfwk.tools.VaultTool --password "WebAS" d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt add private key WebAStestServer 00-hex d:\projects\websphere\keyrings\WebAS.TestServer.key Add the certificate chain for the server to the vault. This chain includes the certificates for the server and for the CA that signed the server's certificate (from the files WebAS.TestServer.cert and WebAS.TestCA.cert, respectively). % java com.ibm.cfwk.tools.VaultTool --password "WebAS" d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt add public chain WebAStestServer 00-hex d:\projects\websphere\keyrings\WebAS.TestServer.cert d:\projects\websphere\keyrings\WebAS.TestCA.cert Add the CA's self-signed certificate (WebAS.TestCA.cert) to the vault. % java com.ibm.cfwk.tools.VaultTool --password "WebAS" d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt add public cert WebAStestCA 00-hex d:\projects\websphere\keyrings\WebAS.TestCA.cert Export the information about the TestCA and the TestServer from the vault to a keyring class (the default DummyKeyring). % java com.ibm.cfwk.tools.VaultTool --password "WebAS" d:\projects\websphere\keyrings\WebAS.Test.Vault.vlt container -p "WebAS" com.ibm.websphere.DummyKeyring WebAStestServer WebAStestCA
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|