Recently I got the request to manually create a Java keystore (.jks) to be used on a linux-based webserver.

Jul 01, 2019  How to use that certificate to generate a public key keystore. How to query and verify your keystores with the keytool command. Create private key and keystore. To get started, the first thing we need to do is create a private key keystore. This is going to be a file on your filesystem, and I'm going to name mine privateKey.store. 30 show the 20 bits key stream generated from.

The certificate to be used had two “issues”:

• It was provided as a .pfx file
• It didn’t contain the certificates of the intermediate CAs

This section provides a tutorial example on how to export certificates in DER and PEM format using the 'keytool -exportcert' command.  My first test was about 'keytool' exporting certificates in DER and PEM formats. This was done as: Using 'keytool -genkeypair' to generated a key pair and a self-sign certificate in a keystore file. Openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 You should be able to use the resulting file directly using the PKCS12 keystore type. If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6).

Since I use a Windows 10 workstation, I had to assure, that Java was installed, in my case version 1.8.

So, in order to fulfill this request, the following steps were necessary:

• Create a folder to collect all necessary files in. In my case, this was d:cert.
• Copy the following files to this folder
  • The source .pfx file.
  • The certificate of the root CA of the certificate.
  • The certificate(s) of all intermediate CAs existing in the trust chain of the certificate.

In my case the folder contained the following files:

• wildcard.pfx
• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSAOrganizationValidationSecureServerCA.crt

Now, we’ll use the keytool command inside the java installation folder (in my case C:Program FilesJavajre1.8.0_201bin to create the keystore and put all necessary files in there.

The first command puts the root CA’s certificate into the keystore. Since the key store doesn’t exist, it will create it automatically:

Note: Please replace the “xxx” behind “-storepass” with a reasonable password.

Now we import the other two CA certificates the same way:

In order to import the certificate, we first have to reveal the alias used. To do so, run the following command:

Open the file cert.txt and look for the line starting with “Aliasname:“. You’ll need it in the next step.

The last step is now to import the certificate and its private key into the keystore by running the following command:

Note: Please replace the “qqq” behind “-srcalias” with the alias, you noted in the previous step and the “xxx” behind “-deststorepass” with the password for the .jks file.

Now you can import the file to the destination machine and configure the web server to use it.

Java keytool can be used for https connections, to allow access only to authorized clients. Any tool or java code can use an installed certificate to connect to the server.

❓ How Java keytool works

Maybe you want to make your server publicly accessible, but restricted to particular team or organization.
Or you build an infrastructure of your enterprise and want it to be secure. In such situation you will need a method to control, who can use particular service.
Such resource should be protected from unauthorized usage, channel between server and authorized client must be secure.

Java keytool allows to certify given java client for work with particular server over https. That is an established and easy to use java standard.

To be certified to use particular service, client should do the following:

✔ get the certificate which server expects(.crt file). Probably admin can provide you with it;

✔ add it to your keyring using:

Stellar phoenix key generator mac. ✔ check with the manual of the client tool you use for details of configuration, if there is any.

1

Adding certificate to the keystore

Given:

⭐ my.cert.location/my.cert.crt – certificate to be installed

⭐ “changeit” – default keystore path (if you didn’t set it, its java default)

⭐ default java keystore location – $JAVA_HOME/jre/lib/security/cacerts

Following will add the certificate to the default java keyring:

💡 Answer ‘yes’ when prompted.

2

Listing certificates in the keystore

This will list the certificates in the keystore:

Output is something like:

Important part is the alias which certificate has. You can import and export certificates using alias.
💡 In the keytore, unique identification or name of the certificate is called alias

To determine if the certificate with alias mykey1is there, use:

💡 It will list all what keyring has about the certificate.

Following problem might occur if server doesn’t find the certificate it expects:

Given one client which works and one which cannot connect to the server, you can do the following to fix the problem:

⭐ Compare MD5 Sums of same certificate from both servers

⭐ Check that the same certificates are installed (nothing missing)

⭐ Import missing certificates from the working server

⭐ Print the certificate content to learn more about it

3

Exporting the certificate from the keystore

The my.cert.1.crt can be then re-imported into another keyring.

4

Learning more about the certificate

Generate Private Key From Certificate Keytool

💡 REMARK: we use the same certificate we have exported in the chapter above.

To learn about the owner, organization, etc. who has issued the certificate, following command can be used

5

Removing the certificate from the keystore

6

Non-interactive mode (suppress keytool questions)

That is useful in bash scripts. Use the -noprompt option:

Generate Key From Crt Keytool Mac

That’s it, have fun :)