Creating a self signed certificate

Read this page to learn the procedure to renew or generate self-signed certificates.

About this task

To generate the certificate for a broker you can use the Java keytool command. This tool is provided with the Remote Control application.
Note: These instructions are valid for Remote Control Server version 10.1 FP5 and above.
From the [server_installation]/jre/bin folder, launch the following command where CERTPASS is the password of the certificate. Replace the placeholder values in the dns: and ip: fields within the -ext option to match your network environment.
  • keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:company.local,dns:company.domain.com,ip:192.168.1.50" -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass "CERTPASS" -validity 365
Note: The following instructions only apply to Remote Control Server version 10.1.0.0442 and lower.

Procedure

  1. Open a command prompt window.
  2. Go to the Remote Control Server installation directory.
  3. Change to the [installdir]\java\jre\bin subdirectory on a Windows™ system or the [installdir]/java/jre/bin subdirectory on a Linux™ system.
  4. Run ikeyman.sh on a Linux™ system or ikeyman.exe on a Windows™ system.
  5. Select Key Database File > New.
  6. Select the database type. (Use PKCS12 for Broker Certificate. Use PKCS12 or JKS for the Server certificate)
  7. Click Browse, navigate to the location you want to store the keystore, type a file name for your file and click Save.
  8. Click OK.
  9. Enter and confirm a password to protect the keystore and click OK.
  10. Select Create > New Self-Signed Certificate.
  11. Enter a name for the Key Label.
    For example, the hostname of the broker.
    This is the name that will be displayed in the Personal Certificates list in the key management tool GUI.
  12. Select X509 V3 for the Version.
  13. Select a Key Size value.
    Recommended value is 2048.
  14. Select a Signature Algorithm
    This is a cryptographic algorithm for digital signatures and should be left as the default value SHA256WithRSA.
  15. Type a Common Name.
    Set to the DNS host name and domain of your broker.
    For example, trcbroker.example.com.
  16. Type the Subject Alternate Name.
    Most recent browsers use the Subject Alternate Name to validate the certificate in place of (or in addition to) the Common Name. Make sure you provide a matching subject alternate name. For example, server.example.com.
    Note: Java based certificate tools (like ikeyman) do not support Subject Alternate Names with domain names that start with a number. For example, server.8xxx.com. In this case you need to use OpenSSL or another external tool to create the certificate.
  17. Enter any additional optional information as required.
  18. Enter a Validity Period.
    This is the number of days that the certificate will be valid for. Default is 365 days.
  19. Click OK.
    1. Click Extract Certificate.
    2. Use the default Data type Base64-encoded ASCII data.
    3. Enter a file name and location for saving the certificate file to.
    4. Click OK.

Results

The .p12 file is created with the name and selected location chosen.
Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.

For more information on CA signing process, see Creating Certificate Authority signed certificates.