How do I generate keystores and certificates for command central

The keytool command that comes with Java 7 can be used to create a complete PKI setup.  Note that it is best practice not to use the --storepass or --keypass command-line switches.  If you do use them make sure to protect any scripts that use them especially those that involve the cceroot key.  This setup generates 2048 bit RSA keys with 20 year CA expiration, 2 year server cert expiration.  These can be changed by modifying the command line parameters to keytool.

Create root signing CA #

  • Generate a root CA key.  This certificate will be used to sign all other certificates.  Only do this step once.

keytool -genkeypair-keystore cceroot.jks -alias cceroot -dname "cn=cceroot,o=sag"-keyalg RSA -ext bc:c -storepass manage -keypass manage -validity 7300
  • export the CA certificate to file for client/browser usage.  For java clients, import this file into cacerts or a local truststore.  For browsers, import as a CA cert and trust for server SSL

keytool -exportcert -keystore cceroot.jks -storepass manage -alias cceroot -file cceroot.cer

Create certificates for HTTPS #

Repeat this step for each server that needs to support connections via HTTPS

  • Generate a keypair for the server.  This cert will initially be self-signed.

keytool -genkeypair -keystore spmnode.jks -alias spmnode -dname "cn=spmnode,o=sag" -keyalg RSA -storepass manage -keypass manage -validity 720 

Alternate method using wildcards: 

keytool -genkeypair -keystore spmnode.jks -alias spmnode -dname "cn=*,o=sag" -keyalg RSA -storepass manage -keypass manage -validity 720

  • Create a certificate signing request (CSR).  This file will be input into the CA signing process

keytool -certreq -keystore spmnode.jks -alias spmnode -dname "cn=spmnode,o=sag"-storepass manage -keypass manage -file spmnode.p10
  • Now sign the CSR.  Change the DNS name to the actual fully qualified host name.  You may also want to change the validity period longer, 720 = 2 years

keytool -gencert -alias cceroot -ext -keystore cceroot.jks -storepass manage -keypass manage -infile spmnode.p10 -outfile spmnode.cer -validity 720

  1. if using wildcards, don't specify a SAN extension: 

keytool -gencert -alias cceroot -keystore cceroot.jks -storepass manage -keypass manage -infile spmnode.p10 -outfile spmnode.cer -validity 720

 The next two steps update the server keystore with the CA-signed response.  A better method is below but requires extra steps:
  • import root CA into SPM server keystore.

keytool -importcert-keystorespmnode.jks -aliascceroot -storepassmanage -keypassmanage -filecceroot.cer -noprompt
  • import the signed cert into the SPM server keystore

keytool -importcert-keystorespmnode.jks -aliasspmnode -storepassmanage -keypassmanage -filespmnode.cer -noprompt
 Alternately, you can combine the server certificate and CA into a single file and import that.  This is a better approach but not quite as straightforward
  • export the CA and cert in text format

keytool -exportcert -keystore spmnode.jks -alias spmnode -rfc -storepass manage 




keytool -exportcert -keystore cceroot.jks -alias cceroot -rfc -storepass manage




Copy these two files in order including the --BEGIN/–END blocks into a new file called certandroot.p7c.  Server cert should be first in this file, followed by the root cert.

  • Import the certificate into the server keystore:

keytool -importcert -keystore spmnode.jks -alias spmnode -storepass manage -keypass manage -file certandroot.p7c
 After these steps you should have the following files:

File Purpose
cceroot.jks CA root key
spmnode.jks Server key for SPM HTTPS node
cceroot.cer CA certificate suitable for import into truststore or browser CA list