Skip Navigation

Create a new keystore, generate a CSR request, and obtain a signed certificate from a CA

  1. If necessary, verify that the PATH system variable includes the path to the
    Java
    bin directory.
    1. In a command prompt, type
      set | findstr "Path"
      .
    2. Press
      Enter
      .
    For instructions to set the Path system variable, see "Set an environment variable for the Java location" in the installation content.
  2. On the computer that hosts
    BEMS
    , create a temporary folder (for example,
    C:\bemscert
    ).
  3. Create a new
    Java
    keystore and key pair.
    1. Open a command prompt.
    2. Navigate to the folder that you created in step 1.
    3. Type
      keytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=<
      FQDN of BEMS host
      >, OU=<
      BEMS name
      >, O=<
      domain
      >, L=<
      location
      >, S=<
      state or province
      >, C=<
      country
      >" -validity <
      number of days before the certificate expires
      > -storepass <
      mystorepassword
      >
      .
      For example,
      keytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=BEMShost.example.net, OU=BEMShost, O=example, L=Waterloo, S=Ontario, C=CA" -validity 730 -storepass mystorepasssword
      For more information about keystore commands, see Keystore commands.
    4. Press
      Enter
      .
    5. Type a password for the serverkey certificate's private key. To set the serverkey password to be the same as the keystore password, press
      Enter
      .
    6. Optionally, to view the contents of the certificate before you submit it to a CA, type
      keytool -list -v -keystore bemsnew.pfx -storetype PKCS12 -storepass <
      mystorepassword
      >
  4. Generate a CSR for the
    BEMS
    Java
    keystore. In the command prompt, type
    keytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <
    mystorepassword
    > -keypass <
    mykeypassword
    >
    If the serverkey password and the keystore password are the same, type
    keytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <
    mystorepassword
    > -keypass <
    mystorepassword
    >
  5. Submit the CSR to a CA.
  6. Receive the CA-signed certificate from the CA and save it to the folder that you created in step 1.
  7. Import the CA-signed certificate to the request. In the command prompt, type
    keytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepass <
    mystorepassword
    > -file <"
    certificate filename received in step 5
    "> -alias serverkey
    For example,
    keytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepass mystorepassword -file "bemsnew certnew.cer" -alias serverkey
  8. View the new contents of the keystore, type
    keytool -list -v -keystore bemsnew.pfx -storetype PKCS12 -storepass <
    mystorepassword
    >