A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities.
The keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA). When you install the OMII Client or OMII Base and Extensions, an omii.ks keystore file is downloaded to your machine during the installation - this means you can use the software for a period of time without having to get involved with creating your own Java keystore from a certificate.
If you use the Java keytool program with a command line (Windows example shown) such as :
C:\Program Files\OMIICLIENT>keytool -v -list -keystore omii.ks
Enter keystore password: tmpstore
you can then view the contents of eg. your client-side omii.ks file:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: omii_ca
Creation date: 03-Dec-2004
Entry type: trustedCertEntry
Owner: O=OMII, EMAILADDRESS=support@omii.ac.uk, C=UK, ST=Hampshire, CN=OMII Temporary Certificate Authority
Issuer: O=OMII, EMAILADDRESS=support@omii.ac.uk, C=UK, ST=Hampshire, CN=OMII Temporary Certificate Authority
Serial number: 0
Valid from: Mon Oct 04 13:34:53 BST 2004 until: Fri Feb 20 12:34:53 GMT 2032
Certificate fingerprints:
MD5: string of digits
SHA1: string of digits
*******************************************
*******************************************
Alias name: omii_server
Creation date: 03-Dec-2004
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: OU=ecs, O=omii, EMAILADDRESS=youremail@domain.ac.uk, C=uk, ST=hants, CN=machine.domain.ac.uk
Issuer: O=OMII, EMAILADDRESS=support@omii.ac.uk, C=UK, ST=Hampshire, CN=OMII Temporary Certificate Authority
Serial number: 1ed
Valid from: Fri Dec 03 10:22:12 GMT 2004 until: Sun Jan 02 10:22:12 GMT 2005
Certificate fingerprints:
MD5: string of digits
SHA1: string of digits
Certificate[2]:
Owner: O=OMII, EMAILADDRESS=support@omii.ac.uk, C=UK, ST=Hampshire, CN=OMII Temporary Certificate Authority
Issuer: O=OMII, EMAILADDRESS=support@omii.ac.uk, C=UK, ST=Hampshire, CN=OMII Temporary Certificate Authority
Serial number: 0
Valid from: Mon Oct 04 13:34:53 BST 2004 until: Fri Feb 20 12:34:53 GMT 2032
Certificate fingerprints:
MD5: string of digits
SHA1: string of digits
*******************************************
*******************************************
The section in red is the CA certificate. The section in blue is your key and certificate 1 and certificate 2 form a certificate chain. Certificate 1 has been SIGNED by certificate 2 - the fact that Certificate 2 is present indicates this. When you install the OMII Base and Extensions, your server-side certificate will be signed by the same OMII temporary CA and this means that the client and server then trust each other and hence can work together.
If you choose to use, for example, UK e-science certificates, please see the instructions in Generating a Keystore for making your own keystore.
Alternatively if you are not using UK e-science certificates, the broad steps are outlined below. You can use a program called 'Keystore Explorer' (http://www.lazgosoftware.com/kse/). This is essentially a GUI version of the command-line keytool provided with Java 2 SDK. It can be used to generate the necessary keystore and their associated X.509 certificates as well as importing/storing trusted certificates. However it is not freeware so you can also use the command line version of keyTool which comes with Java.
You need to:
Create a keystore
Generate a key pair within this keystore
Generate a Certificate Signing Request (CSR) from the key pair
Get the CSR signed by the trusted CA (the Registration Authority is required for this as they must contact the CA)
Import the CA's certificate into your keystore as a trusted certificate
The CA's response to your signing request will be a certificate bearing your details - import this into the key pair
Alternatively, there are some useful links on Public Key Infrastructure (PKI) which can be found at http://www.pki-page.org.