Tips & Tricks for Setting up SSL

Document ID : KB000027103
Last Modified Date : 14/02/2018
Show Technical Document Details



Private Key:
The Private Key is a file created from the host address, company name, and location. This is paired with a Public Key.

Certificate Request File:
The CSR File is generated from a Private Key. It is an encoded text file based on the same information used to create the Private Key: host address, company name, location. This file is sent to a Certificate Authority to generate a CA-signed Public Key.

Public Key:
The Public Key is paired with a Private Key. The Private Key in an SSL setup is stored on the server, and the Public Key is sent to the client. The Public Key is also known as the certificate.

Keystore File:
Java uses another container file called the Keystore File. This can be named anything, and located anywhere. In CSA you enter this file location under the Security tab of Server Properties. It is protected by a password, which you also enter in CSA. The most important point here is that the keystore contains your private key. You cannot extract your private key from this file. You can only create a private key by placing it in a keystore file. A keystore file can contain multiple private/public key pairs. They are differentiated by an alias. If you do not specify an alias, the default alias 'mykey' is used. We have not tried using a keystore with multiple key pairs with Orion.

Keytool Command:
This is the cryptic JDK command line that you use to do everything mentioned above.



  1. Use keytool -genkey to create a new private key based on the hostname etc. You pass in a name for the keystore file. If the keystore file does not already exist it will create a new one. The private key and a dummy public key go in that keystore. Always specify the keystore.

  2. Use keytool -certreq to create a CSR file based on the private key in the keystore file. This CSR is sent to CA. When using keytool, always specify the keystore.

  3. You get a CER file back from the CA, you use keytool -import to replace the dummy public key (certificate) with the signed public key (certificate). The private key does not change.

So now you have a keystore file with your private key paired with the signed certificate from CA. You need to point CA PPM System Administration (CSA) to this keystore and specify the keystore password you used. That is all.