and the algorithm must be consistent with the key being verified. The default algorithm will be based on the type of key held by the alias. −file outputFile Store the CSR in the given file. The format of the CSR is defined in PKCS10. The default is to write the CSR to System.out . Heres how to generate the CSR: piccolo keytool −certreq −alias sdo −file sdoCSR.cer Enter keystore password: Enter key password for sdo: If you used the same password for the keystore and the key itself, you are only prompted once for the password. Once you have the CSR in a file, you must send it to the CA of your choice. Different CAs have different procedures for doing this, but all of them will send you back a certificate they have signed that verifies the public key you have sent to them. For simple testing, the quickest way to proceed is to register for a personal certificate at http:www.thawte.com. Once youve received email from Thawte and continued with the registration process, you will arrive at https:www.thawte.comcgipersonalcertenroll.exe; make sure to follow the section entitled Developers of New Security Applications ONLY. Dont be dissuaded by the statements that you should only follow that link if you know what youre doing; thats the section on their web site that allows you to paste in a CSR. However, if you do this you must generate the initial keypair with a special value in the CN field; Thawte will tell you what that value is when you follow the links to request the certificate. No matter which CA you use, youll eventually be sent back the certificate, which will be in RFC 1421 format.

10.2.4 Importing a Certificate

When the response from the CA comes, we must save it to a file from which we can import it. In order to import the certificate, we must already have the root certificate in our list of trusted certificate authorities, or we must be prepared to accept the root certificate that keytool presents to us. To import the certificate, use this command: −import Import a certificate into the database. This command either creates a new certificate entry or imports a certificate for an existing key entry. This command supports the following global options: −alias alias −keypass keypass −keystore keystore −storepass storepass −storetype storetype −v It also supports these options: −file inputFile The file containing the certificate that is being imported. The certificate must be in RFC 1421 format. The default is to read the data from System.in . The certificate file sent by a CA will contain a certificate chain. The first certificate in the chain will be for the alias itself and will be issued by the certificate authority; the next certificate in the chain will be for the certificate authority and will be self−signed a root certificate or issued by another certificate authority, and so on until a self−signed certificate is present. While the encoding of the chain is defined by RFC 1421, the format of the chain itself is often referred to as a Netscape certificate chain or a PKCS 7 certificate chain. Keytool can read either format; if your CA gives you a choice of formats, pick either one. −noprompt Do not prompt the user about whether or not the certificate should be accepted. When this option is present, the certificate is always installed. Otherwise, if the root certificate in the chain is not from a trusted certificate authority, the user will be prompted whether or not to install the certificate chain. When you import a certificate from an unrecognized CA, the information contained in that certificate is printed out; this information includes the fingerprint of the certificate and the distinguished names of the issuer and the principal. Well−known certificate authorities will publish their fingerprints on the Web, in trade papers, and elsewhere. It is very important for you to verify the displayed fingerprint with the published fingerprint in order to verify that the certificate does indeed belong to the principal named in the certificate. −trustcacerts Use the cacerts file to obtain trusted certificates from certificate authorities that have signed the certificate that is being imported. Without this option, no CAs are considered trusted, and the user will always be asked whether or not to accept the certificate unless, of course, the noprompt option is in effect. If we saved the response from the CA in the file sdo.cer, heres how wed import it into our keystore: piccolo keytool −import −file sdo.cer −alias sdo −trustcacerts Enter keystore password: Certificate reply was installed in keystore Assuming that the certificate is valid, this imports the new certificate into the keystore. The certificate is invalid if the public key for sdo does not match the previously defined public key in the database or if the certificate signature is invalid which would be the case if data in the certificate had been modified in transit. As a result of this command, the state of the sdo entry has significantly changed: When we created the key entry, the sdo entry had a single certificate; that certificate was issued by sdo . • After the import command, the sdo entry has two or more certificates in its certificate chain: the first certificate is issued by the certificate authority and has a principal of sdo ; the last certificate is the CAs self−signed certificate. There may be intermediate certificates in this chain. •

10.2.5 Creating a Certificate Entry

Certificate entries in a keystore are always created by importing an existing certificate. The certificate may be the root certificate of a known CA or the internal CA for your enterprise, or it may be a certificate that