Using Keytool to Generate Self-Signed Certificates and Keys

Whenever possible, use a PKI system and a trusted CA to generate production-ready certificates and keys that encrypt communication among different Unwired Platform components. You can then use keytool to import and export certificate to the platform's keystores and truststores. Otherwise, you can also use keytool to generate self-signed certificates and keys.

Review sample commands, to see how to use keytool to import, export, and generate certificates and keys:

If you have the root certificate of the certificate authority (CA) or if you have a self-signed certificate, import the CA certificate into the keystore and truststore.
For example, if you have a CA certificate in a PKCS#10 file named cust-ca.crt, run this command from the <UnwiredPlatform_InstallDir>\UnwiredPlatform\Servers\UnwiredServer\Repository\Security directory:
```
keytool -importcert -alias customerCA -file cust-ca.crt -storepass changeit -keystore truststore.jks -trustcacerts
```
The truststore is used when Unwired Platform makes an out-bound connection over SSL to another server with a server certificate. Unwired Server checks that the server certificate is in the truststore, or is signed by a CA certificate in the truststore.
Generate a key pair in the Unwired Platform keystore.
The command you use depends on the environment for which you are generating the keystore. For most Unwired Platform deployments, this command may be sufficient:
```
keytool -genkeypair -alias supServer -keystore keystore.jks -keyalg RSA -keysize 2048 
-validity 365 -keypass mySecret -storepass changeit
```
However, if you are generating a key pair to secure an HTTPS communication port between the SAP Gateway and Unwired Server for OData push notifications, you might use a command like:
```
keytool –genkeypair –alias SAPpush –keyalg RSA –keysize 1024 –sigalg SHA1withRSA  
–keypass mySecret –keystore keystore.jks 
```

Supply values for each of the resulting prompts.

The first prompt is the most critical. If you are running multiple Unwired Server in a cluster, type an asterisk followed by the domain name where the Unwired Servers are running.

What is your first and last name?
[Unknown]: *.mydomain.com
What is the name of your organizational unit?
[Unknown]: myOU
What is the name of your organization?
[Unknown]: mycompany
What is the name of your City or Locality?
[Unknown]: place
What is the name of your State or Province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: AB
Is CN=*.mySUPdomain.com, OU=myOU, O=mycompany, 
L=place, ST=state, C=AB correct?
[no]: y

Note: The asterisk before the domain name allows this same certificate to be used by multiple Unwired Servers deployed as members of a common cluster. The CN value must be the domain name of the host on which Unwired Server is installed.

Generate a certificate signing request, send it to the certificate authority, and install the issued certificate in the Unwired Server keystore:
1. Generate a certificate signing request (CSR). For example:
```
keytool -certreq -alias supServer -keystore keystore.jks -storepass changeit 
-keypass mySecret -file supServer.csr
```
2. Send the CSR to the CA for signing.
  For example, for SAP, may perform steps similar to:
  1. Launch the URL for your SAP CA.
  2. Change the option to Certify the cert req in the select cmd option.
  3. Paste the content of the .csr file generated in the previous step.
  4. Copy the content between (and including) "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" of the response, to a text file named <name of the cert>.cer.
  5. View and verify the status of the certificate.
3. Use keytool to import the CA.
  Note: The -alias/-keypass values are the same as those used to generate the key pair and CSR. By sharing these values, you pair the signed certificate with the keypair:
```
keytool -importcert -alias supServer -file supServer.crt -keypass mySecret -storepass changeit 
-keystore keystore.jks -trustcacerts
Certificate reply was installed in keystore
```