Signing a certificate

If you created your certificate authority with CDC Replication commands, you can also sign certificates with CDC Replication commands.

This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.

The certificate authority signs a certificate when it receives a certificate signing request from a CDC Replication system. The request is often a file named with the hostname of the CDC Replication system with a .csr extension. You can use the keytool -gencert command to sign a certificate. For example:

keytool -gencert -noprompt -infile hostname.csr -outfile hostname.crt -alias self -sigalg SHA256withRSA -validity 365 -keypass password -keystore privatekey.jks -storepass password -storetype JKS -rfc -ext KeyUsage:critical=digitalSignature,keyAgreement,keyEncipherment,nonRepudiation -ext ExtendedKeyUsage:critical=serverAuth,clientAuth

The CDC Replication system needs the entire certificate chain, which includes the signed certificate and the certificate authority's certificate. You can use the keytool -exportcert command to export the certificate authority's certificate. For example:

keytool -exportcert -noprompt -rfc -alias self -file ca.crt -keystore privatekey.jks -storepass password -storetype JKS

Send the signed certificate (for example, hostname.crt) and the self-signed certificate authority certificate (for example, ca.crt) back to the CDC Replication system.

You can also use third-party tools such as openssl to sign a certificate.