Using Keytool to Generate Self-Signed Certificates and Keys

Whenever possible, use a PKI system and a trusted CA to generate production-ready certificates and keys that encrypt communication among different SAP Mobile Platform components. You can then use keytool to import and export certificate to the platform's keystores and truststores. Otherwise, you can also use keytool to generate self-signed certificates and keys.

1. If you have the root certificate of the certificate authority (CA) or if you have a self-signed certificate, import the CA certificate into the keystore and truststore.
   For example, if you have a CA certificate in a PKCS#10 file named cust-ca.crt, run this command from the SMP_HOME\Servers\UnwiredServer\Repository\Security directory:

   keytool -importcert -alias customerCA -file cust-ca.crt -storepass changeit -keystore truststore.jks -trustcacerts

   The truststore is used when SAP Mobile Platform makes an out-bound connection over SSL to another server with a server certificate. SAP Mobile Server checks that the server certificate is in the truststore, or is signed by a CA certificate in the truststore.
2. Generate a key pair in the SAP Mobile Platform keystore.
   The command you use depends on the environment for which you are generating the keystore. For most SAP Mobile Platform deployments, this command may be sufficient:

   keytool -genkeypair -alias supServer -keystore keystore.jks -keyalg RSA -keysize 2048 
   -validity 365 -keypass mySecret -storepass changeit
   
   

   However, if you are generating a key pair to secure an HTTPS communication port between the SAP Gateway and SAP Mobile Server for OData push notifications, you might use a command like:

   keytool –genkeypair –alias SAPpush –keyalg RSA –keysize 1024 –sigalg SHA1withRSA  
   –keypass mySecret –keystore keystore.jks 

3. Supply values for each of the resulting prompts.
   The first prompt is the most critical. If you are running multiple SAP Mobile Server in a cluster, type an asterisk followed by the domain name where the SAP Mobile Servers are running.

   What is your first and last name?
   [Unknown]: *.mydomain.com
   What is the name of your organizational unit?
   [Unknown]: myOU
   What is the name of your organization?
   [Unknown]: mycompany
   What is the name of your City or Locality?
   [Unknown]: place
   What is the name of your State or Province?
   [Unknown]: state
   What is the two-letter country code for this unit?
   [Unknown]: AB
   Is CN=*.mySUPdomain.com, OU=myOU, O=mycompany, 
   L=place, ST=state, C=AB correct?
   [no]: y
   
   

   Note: The asterisk before the domain name allows this same certificate to be used by multiple SAP Mobile Servers deployed as members of a common cluster. The CN value must be the domain name of the host on which SAP Mobile Server is installed.
4. Generate a certificate signing request, send it to the certificate authority, and install the issued certificate in the SAP Mobile Server keystore:
   1. Generate a certificate signing request (CSR). For example:

      keytool -certreq -alias supServer -keystore keystore.jks -storepass changeit 
      -keypass mySecret -file supServer.csr
      
      

   2. Send the CSR to the CA for signing.
      For example, for SAP, may perform steps similar to:

      1. Launch the URL for your SAP CA.
      2. Change the option to Certify the cert req in the select cmd option.
      3. Paste the content of the .csr file generated in the previous step.
      4. Copy the content between (and including) "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" of the response, to a text file named <name of the cert>.cer.
      5. View and verify the status of the certificate.
   3. Use keytool to import the CA.
      Note: The -alias/-keypass values are the same as those used to generate the key pair and CSR. By sharing these values, you pair the signed certificate with the key pair:

      keytool -importcert -alias supServer -file supServer.crt -keypass mySecret -storepass changeit 
      -keystore keystore.jks -trustcacerts
      Certificate reply was installed in keystore