Generating a Self-Signed SSL Certificate
The following procedure creates both a self-signed SSL certificate (and its private key) and the keystore in which to store the certificate. Consult the Certificate Authority for any specific instructions.
To create a self-signed SSL certificate and store it in a keystore, do the following:
| 1. | From a command line, enter the following command: |
keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias myKey -keypass password -keystore myKeystore.jks -storepass password -validity 3600 -keysize 2048 -ext san=ip:ipAddress,dns:domainName...
where you provide the following details specified to create the keystore that will store the certificate:
| • | myKey—An alias for the private key you are creating. |
| • | myKeystore—A file name for the keystore you are creating. |
| • | password—A password used for both the private key and keystore. Enter this value for both ‑keypass and -storepass. |
| • | ip:ipAddress,dns:domainName...—One or more values specified for the san (subject alternative name) parameter, each value indicating an IP address or a domain name (hostname) secured by the certificate. Enter as many values as needed, separating each with a comma, to ensure that a given domain can be accessed during SSL communication. (For example, you might want to enter both the IP address and domain name for the instance containing a Scan Server to ensure that the instance can be accessed by whichever identifier is used during communication.) Enter each IP address in the format ip:ipAddress and each domain name in the format dns:domainName. The following shows a sample san parameter: |
-ext san=ip:93.184.222.33,dns:localhost
| 2. | When prompted with “What is your first and last name?”, enter the fully qualified hostname for the server, such as myserver.mycompany.com. |
| 3. | Copy the keystore to the fnciInstallPath/tomcat directory. (It is configured in the server.xml file, as described in Enabling an HTTPS Connection.) |