Generating CSRs
To obtain a signed certificate from the Certificate Authority (CA) for BMC Atrium Single Sign-On, you must generate a certificate signing request (CSR).
To generate a CSR in Microsoft Windows
- On the command line, change your working directory to
<installationDirectory>\BMC Software\AtriumSSO\tomcat\conf. - Modify the environment to use the Java Development Kit (JDK) that is installed with BMC Atrium Single Sign-On:
set PATH=<installationDirectory>\jdk\bin;%PATH%
Run the following
keytool
command:keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
To generate a CSR in UNIX
- On the command line, change your working directory to
<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf. - Modify the environment to use the JDK installed with BMC Atrium Single Sign-On:
PATH=<installationDirectory>/jdk/bin:$PATH;export PATH
Run the following
keytool
command:keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
Note
For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat server is internal4bmc. You will need to provide another password if the keystore is replaced with a locally generated file.
Example of a CSR
The keytool
command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example file and has the following content:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UEChMMQk1DIFNv
ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q
al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf
c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx
oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c
xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj
EfQB8idnyyimIfoqqQ==
-----END NEW CERTIFICATE REQUEST-----
You must send the toolkit command output to a CA for a digital signature.
Note
The Common Name (CN) of the certificate cannot be modified, because the CN must match the host name of the server. If the names do not match, the browser issues a warning that the server is trying to impersonate another site.
Importing the signed certificate
After a CSR is signed by a CA, follow the instructions for Importing a certificate into cacerts.p12. Before you import the signed certificate, import the signing root CA and any intermediate signing certificates into the truststore. For information about importing intermediate certificates, see Getting intermediate CA certificates.
Comments
If you use the -file option you can output to a file rather than copy pasting from a command prompt screen.
Has anyone had any success with using the command?
Hi Anil,
I have verified the command and it had to be modified to add the -storepass parameter for windows. Now it works well.
Also, this command saves the CSR to a file and does not display on the screen.
Thanks!
- Abhay
Log in or register to comment.