Skip to content
DevTest Solutions - 10.3
Documentation powered by DocOps

Use Your Own Self-Signed Certificate

Last update September 26, 2016

This example uses the keytool utility, which is in the Java Runtime Environment (JRE).

To create your own self-signed certificate:

  1. Work with your security administrator to create a self-signed certificate.

  2. Copy the certificate file to LISA_HOME and update local.properties:

    lisa.net.keyStore={{LISA_HOME}}keystore.ks

    lisa.net.keyStore.password=MyNewSecretPassword

  3. The first time DevTest reads the plain text password, it converts the password to an encrypted property:

    lisa.net.keyStore.password_enc=33aa310aa4e18c114dacf86a33cee898

    The server side of the connection configuration is complete.

  4. Configure the client.
    Because this certificate is self-signed, you explicitly tell the clients to trust the certificate. Typically, when you connect to an SSL service (for example, using a browser to https://www.MyBank.com) a trusted Certification Authority certifies the certificate. Because a trusted third party does not certify self-signed certificates, you must add the certificate to a trust store:

    lisa.net.trustStore={{LISA_HOME}}trustStore.ts

    lisa.net.trustStore.password=MyNewSecretPassword

    The same keytool utility manipulates trust stores. In general, a keystore contains one certificate and a trust store contains one or more certificates.

  5. Export the certificate from the server keystore:

    keytool -exportcert -rfc -alias serverA -keystore keyStore.ks -file serverA.cer

    The -rfc means to export the certificate as ASCII text instead of binary, to make it easier to copy and paste. In our example, the resulting serverA.cer file looks like the following example:

    -----BEGIN CERTIFICATE-----

    MIICEzCCAXygAwIBAgIEThZnYzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJDQjELMAkGA1UE

    CBM420IxCzAJBgNVBAcTAkNCMQswCQYDVQQKEwJDQjELMAkGA1UECxMCQ0IxCzAJBgNVBAMTAkNC

    MB4XDTExMDcwODAyMTE0N1oXDTEyMDcwNzAyMTE0N1owTJELMAkGA1UEBhMCQ0IxCzAJBgNVBAgT

    AkNCMQswCQYDVQQHEwJDQjELMAkGA1UECDMCQ0IxCzAJBgNVBAsTAkNCMQswCQYDVQQDEwJDQjCB

    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhYfaN+dCrKQwYZ+KeaaPUI8DeXNiqQ/mS+KGnXnh

    Pz08vdX/7HDLW4pzFhntjmkxxOi9dMwlO2thTD1cOxI571PotenMENo4nyiUAEnMK9MTiWEYr2cQ

    b6/TUueBCjRJ9I0GPCI0WPS+0Na2Q/wq8gPCHmDRpw1Xgo4uZ1v6C/ECAwEAATANBgkqhkiG9w0B

    AQUFAAOBgQByCsX9EoBFIGhcSwoRwEvapIrv8wTaqQPOKKyeIevSmbnERRu6+oi+cJftbdEfw6GG

    CBddJH+dGZ9VeqLU8zBGasbU+JPzG5ElOgOXcUGeQQEaM1YMv6XWrIwNSljQk/MPZSt3ROtJOlae

    JPKJXSQ610xof9+yLHH0ebUGhUjdlQ==

    -----END CERTIFICATE-----

  6. Add this certificate to the client trust store.
    Because you are creating a trust store file, you enter the password twice. If you add further certificates to this client trust store, you enter the password once.

    prompt> keytool -importcert -file serverA.cer -keystore trustStore.ts

    Enter keystore password:

    Re-enter new password:

    Owner: CN=serverA, OU=dev, O=itko, L=Dallas, ST=Texas, C=US

    Issuer: CN=serverA, OU=dev, O=itko, L=Dallas, ST=Texas, C=US

    Serial number: 4e155338

    Valid from: Thu Jul 07 16:33:28 EST 2011 until: Wed Oct 05 17:33:28 EST 2011

    Certificate fingerprints:

         MD5:  5B:10:F6:C8:02:3E:36:F5:AA:6D:FC:10:EF:F5:7F:54

         SHA1: 09:DA:8E:71:7C:D5:BB:44:89:14:13:07:F4:A1:C7:06:35:CD:BE:B1

         Signature algorithm name: SHA1withRSA

         Version: 3

    Trust this certificate? [no]:  yes

    Certificate was added to keystore

    Now you have a cryptographically strong way of talking to your DevTest servers in the public cloud. You must have the certificate on both sides for two DevTest components to talk to each other.

  7. If your client talks to more than one remote SSL server, run the same keytool command to import the certificate to the trust store.

    Note: In addition to the transport level security (the SSL), you can still enable fine-grain Access Control Lists (ACL). Access Control Lists let you require users to authenticate by user name and password. This type of security is similar to a banking website that uses HTTPS but still requires you to identify yourself.
Was this helpful?

Please log in to post comments.