![]() So, how does all this play into accomplishing your goal of renewing your certificate? Your certificate gets validated by your private key, which only you have, and by the CA's public key, which only works if it matches up with the private key that signed the certificate. ![]() The CA generated your certificate using your public key and their private key, which is how some random web browser can use this to know that they are on your web site and that it's safe to send data. It all got encoded into a well-known format and sent off to the CA. You created a file that contained your web site's information (foo.com), along with a bunch of other stuff - including your public key. Keytool -certreq -alias myalias -keystore keystore -file myrequest.csr When you generated your certificate request, This is important because the key pair is how you will demonstrate to the Certificate Authority (CA) that your next request is a renewal, is really from you, and is for the same certificate. In this case, the new keystore contained a key pair using the RSA algorithm and with 2048 bits of entropy (a fancy way of saying how strong the key is, or how long it might take to break relative to other keys). You described this as "creating your keystore," which is accurate, but it did something much more important also: it generated your private / public key pair. Keytool -keystore keystore -alias myalias -genkey -keyalg RSA -keysize 2048 When you began the process of obtaining your certificate, you first issued the command, While there are lots of details that we could examine, all we really need here is a high-level overview, but each piece is important to understand what you should do and why. Here's Jetty's doc for this which I used during the original keystore creation:ĭigital certificates as used for SSL/TLS have multiple components. ![]() So if I have to use it for a renewal, not sure if I got myself into trouble here. I didn't keep a copy of the original keystore file, I modified it via the steps listed above. But do I start completely from scratch? Or was I supposed to keep around the original keystore file in step one, and proceed from there? With the renewal, I know I have to send GoDaddy another CSR. Now I give the keystore file to my Jetty instance and all works fine. I then ran this step, which seems to be importing a portion of the GoDaddy cert into my keystore file, but not exactly sure how that works: keytool -import -trustcacerts -alias myalias -keystore keystore -file gd_bundle.crtįinal step, similar to the above, pulling part of the domain cert into the keystore file: keytool -keystore keystore -import -alias myalias -file -trustcacerts I sent the myrequest.csr file to GoDaddy. Then I generated the certificate signing request (CSR): keytool -certreq -alias myalias -keystore keystore -file myrequest.csr This is the process I went through to generate the original keystore file, which gets to my final point of confusion:įirst I generated my keystore file: keytool -keystore keystore -alias myalias -genkey -keyalg RSA -keysize 2048 I ended up with a single "keystore" file, which I give to my webserver (Jetty). I've got an SSL certificate from GoDaddy, and it's time to renew.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |