Universal Messaging 10.11 | Administration Guide | Universal Messaging Enterprise Manager | Administering TCP Interfaces, IP Multicast, and Shared Memory | How to Generate Certificates for Use
 
How to Generate Certificates for Use
Generating Demo / Development Certificates
To generate a demo SSL certificate, you can use the Java keytool utility or the Universal Messaging Certificate Generator utility.
Note:
The Certificate Generator utility is deprecated in Universal Messaging v10.2 and will be removed in a future version of the product.
The third-party Java keytool utility can be used to create and handle certificates. Keytool stores all keys and certificates in a keystore.
The Universal Messaging Certificate Generator utility can be used to generate a self signed server certificate, a self signed client certificate, and a trust store for the above two.
You can run the Certificate Generator from the Start Menu on Windows by selecting the server/<realm name>/Create Demo SSL Certificates.
Alternatively, you can open a server command prompt and run the utility as required for your platform:
*Windows systems:
CertificateGenerator.exe
*UNIX-based systems:
./CertificateGenerator
*OS X:
./CertificateGenerator.command
This will generate three files:
*client.jks : Self signed certificate you could use if you have client certificate authentication enabled.
*server.jks : Self signed certificate with a CN=localhost . Please note: You can only connect to interfaces using this by specifying a localhost RNAME due to the HTTPS protocol restrictions.
*nirvanacacerts.jks: Keystore that contains the public certificate part of the 2 key pairs above. This should be used as a trust store by servers and clients.
It is also possible to customize some elements of these certificates stores such as the password, the host bound to the server CN attribute and they key size. This can be done by passing the following optional command line arguments to the Certificate Generator:
*Windows systems:
CertificateGenerator.exe <password> <host> <key size>
*UNIX-based systems:
./CertificateGenerator <password> <host> <key size>
*OS X:
./CertificateGenerator.command <password> <host> <key size>
Generating Production Certificates
Tto obtain a real SSL certificate, you must first generate a CSR (Certificate Signing Request). A CSR is a body of text that contains information specific to your company and domain name. This is a public key for your server.
The Java keytool utility can be used to create and handle certificates. Keytool stores all keys and certificates in a keystore. For a detailed description of keytool please see its documentation.
Step 1: Create a keystore
Use the keytool to create a keystore with a private/public keypair.
keytool -genkey -keyalg "RSA" -keystore keystore -storepass password -validity 360
You will be prompted for information about your organization. Please note that when it asks for "User first and last name", please specify the hostname that Universal Messaging will be running on ( e.g. www.yoursite.com ).
Step 2: Create a certificate request
Use the keytool to create a certificate request.
keytool -certreq -keyalg "RSA" -file your.host.com.csr -keystore keystore
This will generate a file containing a certificate request in text format. The request itself will look something like this :

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtTCCAR4CAQAwdTELMAkGA1UEBhMCVVMxDzANBgNVBAgTBmxvbmRvbjEPMA0GA1UEBxMGbG9u
ZG9uMRQwEgYDVQQKEwtteS1jaGFubmVsczEMMAoGA1UECxMDYml6MSAwHgYDVQQDExdub2RlMjQ5
Lm15LWNoYW5uZWxzLmNvbTCBnzANBeddiegkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAycg0MJ7PXkQM9sLj
1vWa8+7Ce0FDU4tpcMXlL647dwok3uUGXuaz72DmFtb8OninjawingsjxrMBDK9fXG9hqfDvxWGyU0DEgbn+Bg
O3XqmUbyI6eMzGdf0vTyBFSeQIinigomontoyaU9Ahq1T7C6zlryJ9n6XZTW79E5UcbSGjoNApBOgVOCPKBs7/CR
hZECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAB7TkFzQr+KvsZCV/pP5IT0c9tM58vMXkds2J7TY
Op3AueMVixRo14ruLq1obbTudhc385pPgHLzO7QHEKI9gJnM5pR9yLL72zpVKPQ9XOImShvO05Tw
0os69BjZeW8LTV60v4w3md47IeGE9typGGxBWscVbXzB4sgVlv0JtE7b
-----END NEW CERTIFICATE REQUEST-----
Step 3: Submit your certificate request to a certificate supplier
Certificate vendors will typically ask you to paste the certificate request into a weborder form. This will be used as a public key to generate you private key. Please include the (BEGIN and END) tags when you paste the certificate request.
Please note that a cert of PKCS #7 format is required so that it can be imported back into keytool. (step 4)
The certificate vendor will then provide you with a certificate which that will look something like this:
Please paste this certificate into a file called your.host.com.cer [Note. please include the (BEGIN and END) tags]

-----BEGIN PKCS #7 SIGNED DATA-----
MIIFpAYJKoZIhvcNAQcCoIIFlTCCBZECAQExADALBgkqhkiG9w0BBwGgggV5MIIC
2DCCAkGgAwIBAgICErYwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAlpBMSIw
IAYDVQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRUaGF3
dGUgQ2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAaBgNV
BAMTE1RoYXd0ZSBUZXN0IENBIFJvb3QwHhcNMDQwOTA2MTYwOTIwWhcNMDQwOTI3
MTYwOTIwWjB1MQswCQYDVQQGEwJVUzEPMA0GA1UECBMGbG9uZG9uMQ8wDQYDVQQH
EwZsb25kb24xFDASBgNVBAoTC215LWNoYW5uZWxzMQwwCgYDVQQLEwNiaXoxIDAe
BgNVBAMTF25vZGUyNDkubXktY2hhbm5lbHMuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDJyDQwns9eRAz2wuPW9Zrz7sJ7QUNTi2lwxeUvrjt3CiTe5QZe
5rPvYOYW1vw6PGswEMr19cb2Gp8O/FYbJTQMSBuf4GA7deqZRvIjp4zMZ1/S9PIE
VJ5AhT0CGrVPsLrOWvIn2fpdlNbv0TlRxtIaOg0CkE6BU4I8oGzv8JGFkQIDAQAB
o2QwYjAMBgNVHRMBAf8EAjAAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly93d3cu
dGhhd3RlLmNvbS90ZXN0Y2VydC5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBBAUAA4GBAHGPR6jxU/h1U4yZGt1BQoydQSaWW48e
r7slod/2ff66LwC4d/fymiOTZpWvbiYFH1ZG98XjAvoF/V9iNpF5ALfIkeyJjNj4
ZryYjxGnbBa77GFiS4wvUk1sngnoKpaxkQh24t3QwQJ8BRHWnwR3JraNMwDWHM1H
GaUbDBI7WyWqMIICmTCCAgKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkG
A1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAb
BgNVBAoTFFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1Qg
VEVTVDEcMBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05NjA4MDEwMDAw
MDBaFw0yMDEyMzEyMTU5NTlaMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9S
IFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmlj
YXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUg
VGVzdCBDQSBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1fZBvjrOs
fwzoZvrSlEH81TFhoRPebBZhLZDDE19mYuJ+ougb86EXieZ487dSxXKruBFJPSYt
tHoCin5qkc5kBSz+/tZ4knXyRFBO3CmONEKCPfdu9D06y4yXmjHApfgGJfpA/kS+
QbbiilNz7q2HLArK3umk74zHKqUyThnkjwIDAQABoxMwETAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBBAUAA4GBAIKM4+wZA/TvLItldL/hGf7exH8/ywvMupg+
yAVM4h8uf+d8phgBi7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVH
FIpKy3nsDO4JqrIgEhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZC
JO2lPoIWMQA=
-----END PKCS #7 SIGNED DATA-----
Step 4: Store the certificate in your keystore
Use the keytool to store the generated certificate :
keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file your.host.com.cer
Once step 4 is completed you now have a Universal Messaging server keystore and can add an SSL interface (see Creating an SSL-Enabled Interface).
Note that if you completed steps 1 to 4 for test certificates then you will also need to create a store for the CA root certificate as Universal Messaging will not be able to start the interface until it validates where it came from. Certificate vendors typically provide test root certificates which are not recognized by browsers etc. In this case you will need to add that cert to another store and use that as your cacert. When specifying certificates for a Universal Messaging SSL interface this would be specified as the Trust Store Path in the certificates tab.
If you are using anonymous SSL then you will have to provide this cacert to clients also as this will not be able to validate the Universal Messaging certificate without it. Please see the Security section of our Concepts guide for more information on configuring Universal Messaging clients to use certificates.