Filter
Top Products
13-8
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
The keytool -certreq command parameter generates a certificate-signing request (CSR). This command
generates the CRS in the industry standard PKCS#10 format.
Example 13-3 Keytool -certreq
The following example uses a keystore with a preexisting self-signed certificate under alias train-1 to
generate a certificate-signing request and output the request into the
train-1.csr file.
dpe# ./keytool -keystore train-1.keystore -alias train-1 -certreq -file train-1.csr
Enter keystore password: changeme
The next step is to submit the CSR file to your signing authority. Your signing authority or your
administrator, who is in possession of the private key for the signing authority, will generate a signed
certificate based on this request. From the administrator, you must also obtain the public certificate of
the signing authority.
Verifying the Signed Certificate
After you have received the signed certificate, use the keytool -printcert command to verify if the
self-signed certificate is in the correct file format and uses the correct owner and issuer fields. The
command reads the certificate from the -file cert_file parameter, and prints its contents in a
human-readable format.
Example 13-4 Keytool -printcert
The train-1.crt file in this example identifies the signed certificate that the administrator provides.
dpe# ./keytool -printcert -file train-1.crt
Owner: CN=train-1.bac.test, OU=BAC Training, O="Acme Device, Inc.", ST=MA, C=US
Issuer: EMAILADDRESS=linksys-certadmin@cisco.com, CN=Acme Device Provisioning Root
Authority 1, OU=Acme Device Certificate Authority, O="Acme Device, Inc.", L=Irvine,
ST=California, C=US
Serial number: 1
Valid from: Tue Nov 08 12:40:28 EST 2005 until: Thu Nov 08 12:40:28 EST 2007
Certificate fingerprints:
MD5: 25:8E:98:C5:5C:23:5C:A0:4D:51:CF:2A:AA:2A:FC:42
SHA1: 05:C1:2D:C6:94:78:D1:40:88:6A:55:67:43:27:68:D3:AC:43:C6:A5
Note The keytool can print X.509 v1, v2, and v3 certificates, and PKCS#7-formatted certificate chains
comprising certificates of that type. The data to be printed must be provided in binary-encoding format,
or in printable-encoding format (also known as Base64 encoding) as defined by the RFC 1421.
Importing Signing Authority Certificate into Cacerts Keystore
Before importing the certificate into the server certificate keystore, you must import the public certificate
of the signing authority into the cacerts keystore; because when a certificate is being imported into the
keystore, the keytool checks if a chain of trust can be established between the certificate and its signing
authority. If a chain of trust cannot be established, an error message appears.