Using the CS 5430 Certificate Authority 0. Create a key pair: $ keytool -v -genkeypair -alias -keystore -keyalg RSA -keysize 2048 -validity 90 -sigalg SHA256withRSA You might wish to consider changing some of the options passed to keytool as appropriate for your system. 1. Generate a Certificate Signing Request (CSR): $ keytool -certreq -alias -keystore -file .csr where is the name you gave your key when you created it in the keystore named . .csr is where the CSR will be created. 2. Email the CSR to Steven Frink . 3. Later (this is a manual process), you will receive a reply with an attachment named .crt. This is your certificate. It is your public key signed by the CS 5430 CA's private key. Delete everything above -----BEGIN CERTIFICATE----- in that file; Java's keytool won't be able to parse the file otherwise. 4. Download 5430ca.crt from the course website: http://www.cs.cornell.edu/courses/CS5430/2015sp/5430ca.crt This is the public key of the CS 5430 CA. The fingerprint of that key is: MD5: 6C:05:37:E8:85:0A:BF:E7:BE:BE:5D:59:15:3E:DB:5B SHA1: 9F:63:DA:7F:9C:F5:B7:71:B5:99:84:EE:C9:5C:89:2C:84:8F:CB:8E 5. There are three pieces that need to be combined to form a certificate chain: the CA public key, the certificate of the CA on your public key, and your private key. Your private key is in your keystore already, but the other two pieces of the chain must be installed, too: 5A. Install the CA public key in your keystore: $ keytool -import -trustcacerts -alias root -file 5430ca.crt -keystore 5B. Install the CA's certificate on your key into your keystore: $ keytool -import -alias -file .crt -keystore 6. Create a truststore that contains only the CA's public key: $ keytool -import -trustcacerts -alias root -file 5430ca.crt -keystore 5430ts.jks 7. On the server side of your software, use as the keystore, where is the name you chose in step 1 above. On the client side of your software, use 5430ts.jks as the truststore.