Now that you have created a self-signed certificate, you want to request a signed certificate from a Certificate Authority, so that the certificate is more apt to be trusted by others.

To request the certificate:

  1. Execute the following command, typing it as one continuous string without including any return characters: 
    keytool -certreq 
-alias acme 
-file d:\work\acme.csr 
-keypass coyote 
-keystore d:\work\fathomstore 
-storepass roadrunner

    Where:

    -certreq
    Generates a Certificate Signing Request (CSR).
    -file d:\work\acme.csr
    Specifies the path to and name of the file that is generated to hold the certificate request information. Generally, the naming convention used to identify a CSR is to add.csr to the end of the file name. In the example shown here, the file is d:\work\acme.csr.
  2. Submit the CSR to a Certificate Authority (or to your own company's certificate authority, such as Microsoft's Certificate Authority). The submittal of the request is usually done by copying the contents of the file into the appropriate field into a web page generated by your chosen certificate authority's web site; however, the process for submitting the CSR is dependent upon the certificate authority.

    The CA will typically authenticate you as the requestor and return a certificate, signed by the CA, authenticating your public key.

  3. When you receive the reply (usually sent by e-mail), copy the contents starting with ---Begin Certificate and ending with --- End Certificate into a file with a .cer extension.

    In this case, the CA will actually return a chain of certificates; each certificate authenticates the public key of the signer of the previous certificate in the chain.

  4. Download the CA's root certificate for use in the web server identity keystore.

    If necessary, obtain the CA's root certificate from your certificate authority to use in your browser and for remote trending. This certificate is used on the client side (browser) to authenticate the root signer and also needs to be added to the certificate keystore file. If the CA certificate is from a well-known authority such as Symantec, then it may not be necessary to install the CA certificate into the client-side browser as most browsers already include support for well-known certificate authorities.

    If the CA is not one that is included in the trendtrustkeystore.zip, you must get the CA's certificate and add it.

    You must now update the keystore file (created in Step 1: Create a keystore) by importing the CA certificate and your new site certificate.