Generating Certificates

Tto obtain a real SSL certificate, you must first generate a CSR (Certificate Signing Request). A CSR is a body of text that contains information specific to your company and domain name. This is a public key for your server.

The Java keytool utility can be used to create and handle certificates. Keytool stores all keys and certificates in a keystore. For a detailed description of keytool please see its documentation.

Step 1: Create a keystore

Use the keytool to create a keystore with a private/public keypair.

keytool -genkey -keyalg "RSA" -keystore keystore -storepass password -validity 360

You will be prompted for information about your organization. Please note that when it asks for "User first and last name", please specify the hostname that Universal Messaging will be running on ( e.g. www.yoursite.com ).

Step 2: Create a certificate request

Use the keytool to create a certificate request.

keytool -certreq -keyalg "RSA" -file your.host.com.csr -keystore keystore

This will generate a file containing a certificate request in text format. The request itself will look something like this :

-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIBtTCCAR4CAQAwdTELMAkGA1UEBhMCVVMxDzANBgNVBAgTBmxvbmRvbjEPMA0GA1UEBxMGbG9u
 ZG9uMRQwEgYDVQQKEwtteS1jaGFubmVsczEMMAoGA1UECxMDYml6MSAwHgYDVQQDExdub2RlMjQ5
 Lm15LWNoYW5uZWxzLmNvbTCBnzANBeddiegkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAycg0MJ7PXkQM9sLj
 1vWa8+7Ce0FDU4tpcMXlL647dwok3uUGXuaz72DmFtb8OninjawingsjxrMBDK9fXG9hqfDvxWGyU0DEgbn+Bg
 O3XqmUbyI6eMzGdf0vTyBFSeQIinigomontoyaU9Ahq1T7C6zlryJ9n6XZTW79E5UcbSGjoNApBOgVOCPKBs7/CR
 hZECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAB7TkFzQr+KvsZCV/pP5IT0c9tM58vMXkds2J7TY
 Op3AueMVixRo14ruLq1obbTudhc385pPgHLzO7QHEKI9gJnM5pR9yLL72zpVKPQ9XOImShvO05Tw
 0os69BjZeW8LTV60v4w3md47IeGE9typGGxBWscVbXzB4sgVlv0JtE7b
 -----END NEW CERTIFICATE REQUEST-----

Step 3: Submit your certificate request to a certificate supplier

Certificate vendors will typically ask you to paste the certificate request into a weborder form. This will be used as a public key to generate you private key. Please include the (BEGIN and END) tags when you paste the certificate request.

Please note that a cert of PKCS #7 format is required so that it can be imported back into keytool. (step 4)

The certificate vendor will then provide you with a certificate which that will look something like this:

Please paste this certificate into a file called your.host.com.cer [Note. please include the (BEGIN and END) tags]

-----BEGIN PKCS #7 SIGNED DATA-----
 MIIFpAYJKoZIhvcNAQcCoIIFlTCCBZECAQExADALBgkqhkiG9w0BBwGgggV5MIIC
 2DCCAkGgAwIBAgICErYwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAlpBMSIw
 IAYDVQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRUaGF3
 dGUgQ2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAaBgNV
 BAMTE1RoYXd0ZSBUZXN0IENBIFJvb3QwHhcNMDQwOTA2MTYwOTIwWhcNMDQwOTI3
 MTYwOTIwWjB1MQswCQYDVQQGEwJVUzEPMA0GA1UECBMGbG9uZG9uMQ8wDQYDVQQH
 EwZsb25kb24xFDASBgNVBAoTC215LWNoYW5uZWxzMQwwCgYDVQQLEwNiaXoxIDAe
 BgNVBAMTF25vZGUyNDkubXktY2hhbm5lbHMuY29tMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQDJyDQwns9eRAz2wuPW9Zrz7sJ7QUNTi2lwxeUvrjt3CiTe5QZe
 5rPvYOYW1vw6PGswEMr19cb2Gp8O/FYbJTQMSBuf4GA7deqZRvIjp4zMZ1/S9PIE
 VJ5AhT0CGrVPsLrOWvIn2fpdlNbv0TlRxtIaOg0CkE6BU4I8oGzv8JGFkQIDAQAB
 o2QwYjAMBgNVHRMBAf8EAjAAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly93d3cu
 dGhhd3RlLmNvbS90ZXN0Y2VydC5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
 AQUFBwMCMA0GCSqGSIb3DQEBBAUAA4GBAHGPR6jxU/h1U4yZGt1BQoydQSaWW48e
 r7slod/2ff66LwC4d/fymiOTZpWvbiYFH1ZG98XjAvoF/V9iNpF5ALfIkeyJjNj4
 ZryYjxGnbBa77GFiS4wvUk1sngnoKpaxkQh24t3QwQJ8BRHWnwR3JraNMwDWHM1H
 GaUbDBI7WyWqMIICmTCCAgKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkG
 A1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAb
 BgNVBAoTFFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1Qg
 VEVTVDEcMBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05NjA4MDEwMDAw
 MDBaFw0yMDEyMzEyMTU5NTlaMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9S
 IFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmlj
 YXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUg
 VGVzdCBDQSBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1fZBvjrOs
 fwzoZvrSlEH81TFhoRPebBZhLZDDE19mYuJ+ougb86EXieZ487dSxXKruBFJPSYt
 tHoCin5qkc5kBSz+/tZ4knXyRFBO3CmONEKCPfdu9D06y4yXmjHApfgGJfpA/kS+
 QbbiilNz7q2HLArK3umk74zHKqUyThnkjwIDAQABoxMwETAPBgNVHRMBAf8EBTAD
 AQH/MA0GCSqGSIb3DQEBBAUAA4GBAIKM4+wZA/TvLItldL/hGf7exH8/ywvMupg+
 yAVM4h8uf+d8phgBi7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVH
 FIpKy3nsDO4JqrIgEhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZC
 JO2lPoIWMQA=
 -----END PKCS #7 SIGNED DATA-----

Step 4: Store the certificate in your keystore

Use the keytool to store the generated certificate :

keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file your.host.com.cer

After step 4 is completed, you now have a Universal Messaging server keystore and can add an SSL interface as described in Creating an SSL-Enabled Interface.

Note that if you completed steps 1 to 4 for test certificates then you will also need to create a store for the CA root certificate as Universal Messaging will not be able to start the interface until it validates where it came from. Certificate vendors typically provide test root certificates which are not recognized by browsers etc. In this case you will need to add that cert to another store and use that as your cacert. When specifying certificates for a Universal Messaging SSL interface this would be specified as the Trust Store Path in the certificates tab.

If you are using anonymous SSL then you will have to provide this cacert to clients also as this will not be able to validate the Universal Messaging certificate without it. Please see the Security section of our Concepts guide for more information on configuring Universal Messaging clients to use certificates.