48.5 Creating a Keystore and Certificate Signing Request

A keystore is a Java file that contains encryption keys and, optionally, security certificates. To create a keystore, you need the Java Keytool utility included in the JRE. You create the .jks file, generate a certificate, then import the certificate into the keystore. Each certificate is associated with a unique alias. You place the keystore in the conf directory for your application server that supports the identity applications and Identity Reporting.

  1. In a command prompt, navigate to the conf directory for your application server installation where you have deployed the identity applications. For example, opt/netiq/idm/apps/tomcat/conf.

    The tomcat/conf path is the default for the identity applications installed on Tomcat. The path can vary, depending on how you installed the application and Tomcat.

  2. To create the keystore, enter the following command:

    cd /opt/netiq/idm/apps/tomcat/conf
export PATH=/opt/netiq/idm/jre/bin:$PATH

  3. To create the keystore, enter the following command:

    keytool -genkey -alias keystore_name -keyalg RSA -keystore keystore_name.keystore -validity 3650

    For example:

    keytool -genkey -alias IDMkey -keyalg RSA -keystore IDMkey.keystore -validity 3650

  4. When prompted, specify the parameter values according to the following considerations:

    • When asked for your first and last name, specify the fully qualified name of the server. For example:

      MyTomcatServer.NetIQ.com

    • Use correct spelling. If you spell any words incorrectly, you will see errors when you generate your signed certificate from the signing authority.

  5. (Optional) Create a simple text file to save a copy of the information that you provide for the parameter values.

    Saving this information helps ensure that you supply the same information when you apply to the signing authority and when you import your certificate.

  6. To generate the certificate request, complete the following steps:

    1. In the conf directory, create a simple text file named your_request.csr. For example, IDMcertrequest.csr.

    2. At a command prompt, enter the following command:

      keytool -certreq -v -alias alias_name -file your_request.csr -keypass keystore_password -keystore your.keystore -storepass your_password

      For example:

      keytool -certreq -v -alias IDMkey -file IDMcertrequest.csr -keypass IDMkeypass -keystore IDMkey.keystore -storepass IDMpass

      When you run the command, the Keytool utility populates the .csr file with the appropriate data for requesting a certificate.

  7. (Conditional) To create a signed certificate, submit the .csr file to a valid Certificate Authority.

  8. Copy the keystore file to the tomcat/conf directory for each application server instance where you have deployed Identity Reporting and SSPR.