Creating new keystores
The following topics provide information and instructions for creating new keystores:
To create a new keystore
- From the command prompt, change your working directory to
- Create a new keystore by using a new password to secure the certificate:
For Microsoft Windows:
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore %CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore $CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE
Based on your requirements, you can use a keysize value of either 1024 or 2048.
- After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key.
- CN—Common Name of the certificate owner (usually the name of the host)
- OU—Organizational Unit of the certificate owner
- O—Organization to which the certificate owner belongs
- L—Locality name of the certificate owner
- ST—State or province of the certificate owner
- C—Country of the certificate owner
- Update the server.xml file with the new password for the keystore.
For details, see the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL.
Locations of keystore and truststores
With the BMC Atrium Single Sign-On default installation, the keystore and truststores are in the following locations:
- Tomcat truststore:
- Java virtual machine (JVM) truststore:
Example of creating a new keystore
C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12 –validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password Enter keystore password: What is your first and last name? [Unknown]: sample.bmc.com What is the name of your organizational unit? [Unknown]: BMC Atrium SSO What is the name of your organization? [Unknown]: BMC Software, Inc. What is the name of your City or Locality? [Unknown]: Austin What is the name of your State or Province? [Unknown]: TX What is the two-letter country code for this unit? [Unknown]: US Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct? [no]: yes
If you are adding the fully qualified domain name (FQDN) URL for a load balancer or reverse proxy in the server certificate, BMC recommends that you add the name of the cluster nodes in the certificate. You can include these names in the certificate by using the following
SAN parameter in the
In this example, the following definitions apply:
- <node> — FQDN for a node
[,DNS:<node>]— Indicates whether additional nodes exist in the cluster