Contents

Generate a key pair and a self-signed SSL certificate using Java's command line → keytool

• open the command line console and navigate to the directory where keytool.exe is located, for a standard installation its
• C:\EASA\EASAx.x\jre\bin
• type the following command
• keytool –genkey –keyalg RSA –alias tomcat –keystore easastore.jks –storepass 123123 –validity 360 –keysize 2048

Blue text indicates values that may be customized

• -keyalg is the encryption algorithm to be used, choose from
• RSA DSA EC DES DESede)
• -alias the name of the self-signed certificate
• -keystore the name of the keystore file which will be created with the self-signed certificate
• (.jks extension required)
• -storepass the password for the keystore file (and by default for the certificate)
• -validity the number of days before the certificate will expire
• -keysize the key size in bits depending on the type of encryption that is used
• (2048 for RSA, 1024 for DSA, 256 for EC, 56 for DES and 168 for DESede)

Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server or in our case we will use the name of the machine where EASA Server is installed.

Now we export the newly created certificate inside easastore.jks so we may import it to cacerts file later.

To export the certificate run

keytool –export –alias tomcat –file tomcat.crt –keystore easastore.jks

tomcat is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can be .cer or .crt
easastore.jks is the keystore we created before in the previous command

It will ask for password and will export the certificate to a file

• Copy the file
• <EASAROOT>\jre\lib\security\cacerts
• to the same location as the keystore and the certificate, in this case
• C:\EASA\EASAx.x\jre\bin

Run the following command to import the certificate to the tomcat file:

keytool –import –trustcacerts –alias tomcat –file tomcat.crt –keystore cacerts

tomcat is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can .cer or .crt
cacerts is the EASA tomcat keystore

It will ask for cacerts keystore password, default changeit is the default

Once we have easastore.jks with our key pair and cacerts contains our self-signed certificate, skip to Enable TLS using a Certificate Authority and Keystore Explorer