In a temporary directory under the Microsoft Proxy Server, run the following commands to generate and certify a key pair.
keytool -genkey -noprompt -alias <alias> -dname <dname> -keyalg <keyalg> -keysize <keysize> -keystore <keystore> -storepass <storepass> -keypass <keypass>keytool -certreq -alias <alias> -file <file> -keystore <keystore> -storepass <storepass>certreq.exe -f -attrib "<atrib>" -config "<host>\<CA>" <file> CertChainFileOut <CertChainFileOut>Depending on the Microsoft CA setup, you may need to manually approve the request and retrieve the certificate.
See the following table for a description of the main parameters.
Option | Value |
|---|---|
<alias> | A label for the new keystore |
<attrib> | The name of the template described in Creating a client authentication template for Microsoft CA. |
<ca> | The CA name assigned to the Microsoft CA in CA Gateway. |
<dname> | The distinguished name of the key pair holder |
<file> | The path of the generated certificate request |
<host> | The Microsoft CA’s hostname |
<keyalg> | The algorithm for generating the key pair |
<keypass> | The password for protecting the key pair withing the keystore |
<keysize> | The size of the generating keys |
<keystore> | The path of the generated keystore |
<storepass> | The password for protecting the keystore |
For example:
keytool -genkey -noprompt -alias mscaproxyclient -dname "cn=mscaproxy client" -keyalg RSA -keysize 2048 -keystore mscaproxyclient.jks -storepass ***** -keypass *****keytool -certreq -alias mscaproxyclient -file mscaproxyclient.csr -keystore mscaproxyclient.jks -storepass *****certreq.exe -f -attrib "CertificateTemplate:ClientAuthentication" -config "<HOST>\<CA>" mscaproxyclient.csr CertChainFileOut mscaproxyclient.p7b