> Am I right ? 1.) I must first create a CA via openssl. 2.) Then I must
> create a csr via keytool 3.) Then I must sign the csr via openssl 4.)
> Import the certificate in the cacerts file Thanks, Luk,
If in '4' you mean the CA's certificate then yes.
more detailed (not tested, but should work):
1) create CA key+cert (preferably a lot more than 365days, certainly
more than the validity of the certificate you'll sign with the CA):
$ openssl req -new -x509 -out MYCA.cert -keyout MYCA.key -days 1095
-config openssl.cnf
2) create CSR:
$ openssl req -nodes -new -x509 -out MYLOCAL.csr -keyout MYLOCAL.key
-days 365 -config openssl.cnf
3) sign CSR with my own shiny CA
$ openssl x509 -req -in MYLOCAL.csr -CA MYCA.crt -CAkey MYCA.key
-CAcreateserial -out MYLOCAL.crt -days 365
4) import certificate in cacerts:
$ keytool -import -trustcacerts -alias "MyShinyCA" -file CA.crt
-keystore $JAVA_HOME/lib/security/cacerts
("changeit")
Then install all certificates and restart the services that use them. It
should be nearly copy/paste now ;).
Good luck!
--
/---------------------------------------------
| Jan "Velpi" Van der Velpen
|
Velpi@... || +32 (0) 498 61 24 89
\---------------------------------------------
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas
