How to install a StartCom certificate using java keytool in windows
This will step through the process of installing a certificate from StartCom in a windows OS using the java keytool.NOTE :
Obviously you will be replacing all instances of ‘yourdomain
’ in my examples with the domain you wish to certify as well as all instances of ‘.com
’ with your domains TLD (if it differs).
The default password for the keystore is : changeit
You must keep the password consistent when keytool asks you to specify a new password. So stick with “changeit
” if you wish to avoid confusion.
I will assume you have created a directory called ‘ssl
’ on your c drive : “C:\ssl\
We need to fetch and install the two StartCom public keys. So navigate to the following 2 websites and when prompted, save the certificates in your c:\ssl\
Open up a command window :
> -> <Run
> and type “cmd
” and click OK3)
When the command window appears type “keytool
” and press enter
If you see a list of possible usages that keytool offers then you may continue to the next step. If you receive a “'keytool' is not recognized as an internal or external command
” message then navigate to your java bin directory in the command window :
eg type “cd C:\Program Files\Java\jre1.6.0_07\bin
” (This may be different to your setup) 4)
We will now install the StartCom certificates you downloaded by typing :
keytool -import -trustcacerts -alias startcom.ca -file c:/ssl/ca.crt(remember the password is : changeit)
keytool -import -alias startcom.ca.sub -file c:/ssl/sub.class1.server.ca.crt5)
We will now generate a keypair using the StartCom requirements.
Type in the following
keytool -genkey -alias http://www.yourdomain.com -keyalg RSA -keysize 2048 -dname "cn=www.yourdomain.com, o=yourdomain, o=.com"6)
Now generate a Certificate Request (CSR).
keytool -certreq -alias http://www.yourdomain.com -file c:/ssl/yourdomain.csr7)
Go to the file C:\ssl\yourdomain.csr and open it with notepad and copy the contents to your clipboard8)
Go to the StartCom Certificates Wizard tab and select your Certificate Target from the dropdown box , select “Web Server SSL” if that’s what you are intending to certify. Note : If you don’t see the option you want then you may not yet have validated your domain. If so click on the Validation Wizard and complete that first.9) SKIP
the next screen that prompts you to generate a private key, since we have already made our own one.10)
PASTE the text we copied from step 7 into the textbox on the “Submit Certificate Request (CSR)” page and then click the “Continue” button and wait patiently.11)
You should now have a page with your new certificate, copy the text that is presented to you in the text box on the page.12)
Create a new text file in your c:\ssl\ directory (eg “New Text Document.txt”) and paste the certificate from step 11 into that file and save it. Rename that text file to “ssl.crt”13)
Open your command window and type the following :
keytool -import -alias http://www.yourdomain.com -file c:/ssl/ssl.crt
Congrats you have now installed the certificate and are ready to rock.Note :
keytool will add all these certificates to your keystore file that may not be visible to your webserver / container.
On my machine the keystore file (Named “.keystore”) ended up in the directory “C:\Documents and Settings\Administrator\”
..and my tomcat was looking for the file in“C:\Documents and Settings\Default User\”
so to point to the correct file I added the attribute :keystoreFile="C:/Documents and Settings/Administrator/.keystore"
in my Tomcats server.xml
file in the <Connector>
tag that handles my ssl connections.
Stop and start your web server and you should now have a trusted ssl certificate.
Hope this helps.
And a big thanks to StartCom for my free certificate.