Create a new keystore, generate a CSR request, and obtain a signed certificate from a CA
- If necessary, verify that the PATH system variable includes the path to theJavabin directory.
- In a command prompt, typeset | findstr "Path".
- PressEnter.
For instructions to set the Path system variable, see "Set an environment variable for the Java location" in the installation content. - On the computer that hostsBEMS, create a temporary folder (for example,C:\bemscert).
- Create a newJavakeystore and key pair.
- Open a command prompt.
- Navigate to the folder that you created in step 1.
- Typekeytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=<.FQDN of BEMS host>, OU=<BEMS name>, O=<domain>, L=<location>, S=<state or province>, C=<country>" -validity <number of days before the certificate expires> -storepass <mystorepassword>For example,keytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=BEMShost.example.net, OU=BEMShost, O=example, L=Waterloo, S=Ontario, C=CA" -validity 730 -storepass mystorepassswordFor more information about keystore commands, see Keystore commands.
- PressEnter.
- Type a password for the serverkey certificate's private key. To set the serverkey password to be the same as the keystore password, pressEnter.
- Optionally, to view the contents of the certificate before you submit it to a CA, typekeytool -list -v -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword>
- Generate a CSR for theBEMSJavakeystore. In the command prompt, typekeytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mykeypassword>If the serverkey password and the keystore password are the same, typekeytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mystorepassword>
- Submit the CSR to a CA.
- Receive the CA-signed certificate from the CA and save it to the folder that you created in step 1.
- Import the CA-signed certificate to the request. In the command prompt, typekeytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -file <"certificate filename received in step 5"> -alias serverkeyFor example,keytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepass mystorepassword -file "bemsnew certnew.cer" -alias serverkey
- View the new contents of the keystore, typekeytool -list -v -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword>