Appendix A: Create a JWS certificate

The JWS certificates of the Hub and DFSPs must be "wrapped" public keys. To generate a JWS certificate, you can use openssl or KeyStore Explorer.

This section provides instructions about how to generate a "wrapped" public key, that is, a JWS certificate using the KeyStore Explorer tool.

First, generate a key pair:

  1. Click Create a new KeyStore or File > New. The New KeyStore Type window pop ups.
    keystore explorer create new keystore

  2. Select JKS.
    keystore explorer jks

  3. Save your keystore. When prompted to set a password, click OK without entering anything if you do not wish to set up a password.
    keystore explorer set password

  4. Select Tools > Generate Key Pair. The Generate Key Pair window pops up.
    keystore explorer generate keypair

  5. Leave the default algorithm selection as is: RSA with key size 2,048.
    keystore explorer rsa

  6. Click OK. The Generate Key Pair Certificate window pops up.
    keystore explorer generate keypair certificate

  7. Leave the default values as is.

  8. Click the Edit name icon next to the Name field. The Name window pops up.
    keystore explorer name

  9. Fill in the fields as follows:

    1. In the Common Name (CN): field, provide your fspId name previously assigned by the Hub.

    2. In the Organization Unit (OU): field, provide the name of your organization unit, for example, Payments.

    3. In the Organization Name (O): field, provide the name of your organization.

    4. In the Locality Name (L): field, provide the city where the organization is located.

    5. In the State Name (ST): field, provide the state where the organization is located.

    6. In the Country (C): field, provide the country where the organization is located.
      keystore explorer name filled in

  10. Click OK.
    keystore explorer generate keypair certificate filled in

  11. Back on the Generate Key Pair Certificate window, click OK. The New Key Pair Entry Alias window pops up.
    keystore explorer new keypair entry alias

  12. Leave the alias value as is.

  13. Click OK. The New Key Pair Entry Password window pops up.
    keystore explorer new keypair entry password

  14. Click OK without specifying a password. You have successfully generated your key pair.
    keystore explorer generate keypair successful

Then, create your "wrapped" public key (this is what we call the JWS certificate):

  1. Right-click the key pair.

  2. Select Export Certificate Chain. The Export Certificate Chain window pops up.
    keystore explorer export certificate chain

  3. Leave the default values as is, that is, Export Length is Head Only, and Export Format is X.509.
    keystore explorer export certificate chain popup

  4. Ensure that the PEM checkbox is selected.

  5. Specify where you want to download the certificate chain. Ensure that the file extension is .pem.

  6. Click Export. You have successfully exported your certificate chain.
    keystore explorer export certificate chain successful