Creating Certificates

- Create a new folder on your desktop, we will label “Certificates”

- Place the Certificates.bat into this folder, this will be the directory we work-in from the command line

- From this directory: Right click on the file and select “Open”

- If you have not set your JAVA_HOME environment variable, you will be prompted to enter your JAVA_HOME directory.

- Next you will be prompted for the "Target Keystore", it is recommended that you simply hit "Enter" to use the default value which will look for a ".keystore" in the same directory  ( it will look for a .keystore in this directory or create one if needed, this is done when we create the certificate)  you are running the certificates.bat script from. This will be our "working" keystore, all work should be done in this keystore, and then once the keystore has been prepped, you can simply swap out the production keystore without ever directly modifying the production keystore.

* At the top of the Menu, you will see the values being used for your "JAVA_HOME" directory, and for your "Target Keystore" – confirm this information is correct

- The "Target Keystore" should show a path to the same location that you are running the script from with the .keystore file. Note that while this is the target keystore, it does not actually exist currently.

-The next step is to enter #4 to "Generate a new Certificate"

-This will walk you through each step to creating the Certificate. Each entry does have a default value; you can simply hit the "Enter" button to use the default value mentioned. In most cases the default values would be appropriate.

 -Next you will be prompted for your DNAME information. Please note that Syntax must match the example provided.

**CN= should be the FQDN of the server, you can pull this by running a command prompt as a logged in domain user:

echo %COMPUTERNAME%.%USERDNSDOMAIN%

 - If you need assistance contact your Administrator     

**Note: after each entry is a comma followed by a space, if you forget the spaces it will not work correctly.
     **Note: CN is the only required field, the other fields can be added/removed by the customer if required.

     CN(Common Name): This should be the FQDN for the server
     OU(Organizational Unit): Can be anything
     O(Organization): Can be anything
     L(Location): This should be the City
     ST(State): This should be the State
     C(Country): This should be the Country

-Next you will be prompted for your SAN information

  **Note: after each entry is a comma, but this time without a space. Again, this must be formatted correctly or it will fail.
     **Note: Your server MUST be listed here in order to show as trusted, if the server as defined in the URL does not exist in the SAN information, then it will not be trusted.

     SAN: Is only used at the start of data.
     DNS: This is used to represent a server name or FQDN for example. Any way you may access the URL must be represented in the SAN or it will NOT be trusted:

EXAMPLE: SAN=DNS:Enforce,DNS:Enforce.DLPDI,DNS:Enforce.DLPDI.TEST,IP:192.168.2.100

If you did not include “DNS:Enforce” it would not be trusted.
     IP: This is used only if you are using an IP Address.

-Finally you will be prompted to enter in the keystore password. 

**Please note that this can also be changed at any time if required. The default is "protect"

Once you press enter above, you will be prompted for the “separate” password for the certificate and the keystore, with DLP it must be the SAME

At this point your "Self-Signed" certificate has been created. And the above warning can be ignored.

Manual Command: "<full path to keytool.exe>" -genkey -alias <cert alias> -keyalg <key algorithm> -keysize <key size> -validity <cert duration> -sigalg <signature algorithm> -dname "<full dname string>" -ext "<full SAN extensions>" -keystore <full path to keystore> -storepass <keystore pass>

- To create a CSR simply return to the Menu and enter #5 to "Generate a CSR"

**** It is important to note that the script will save your Certificate data while the session is open. So you will not need to re-enter any of the information you already provided.

**If you need to change it, you will need to use option 98 on the menu to “Clear Global Variables” on the Main Menu

**Note at the bottom of the page it will provide the full filename and path for where the CSR was created.

Manual Command: "<full path to keytool.exe>" -certreq -alias <cert alias> -keyalg <key algorithm> -keysize <key size> -validity <cert duration> -sigalg <signature algorithm> -dname "<full dname string>" -ext "<full SAN extensions>" -keystore <full path to keystore> -storepass <keystore pass>

- You can now send this CSR to your CA, they will sign the CSR and send back a Certificate for you to import.

Continue to "Certificates Quick Guide: Part 2 - Importing a new DLP Tomcat Certificate"