Signing a certificate

If you created your certificate authority with CDC Replication commands, you can also sign certificates with CDC Replication commands.

This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.

The certificate authority signs a certificate when it receives a certificate signing request from a CDC Replication system. The request is often a file named with the hostname of the CDC Replication system with a .csr extension. You can use the keytool -gencert command to sign a certificate. For example:

keytool -gencert -noprompt -infile hostname.csr -outfile hostname.crt -alias self -sigalg SHA256withECDSA -validity 365 -keystore privatekey.p12 -storepass password -storetype PKCS12 -rfc -ext KeyUsage:critical=digitalSignature -ext ExtendedKeyUsage:critical=serverAuth,clientAuth

The CDC Replication system needs the entire certificate chain, which includes the signed certificate and the certificate authority's certificate. You can use the keytool -exportcert command to export the certificate authority's certificate. For example:

keytool -exportcert -noprompt -rfc -alias self -file ca.crt -keystore privatekey.p12 -storepass password -storetype PKCS12

Send the signed certificate (for example, hostname.crt) and the self-signed certificate authority certificate (for example, ca.crt) back to the CDC Replication system.

You can also use third-party tools such as openssl to sign a certificate.