Create a Java KeyStore Using a Certificate Signed By a CA

Today I am going to demonstrate the creation of a Java KeyStore file using a Certificate signed by a well known Certificate Authority (CA). Java KeyStores are required when running Apache Tomcat based webservices as well as other Java applets that require an SSL/TLS websocket.This example is intended to show how a standard RSA/X509 certificate keypair can be stored within a Java KeyStore object.

Before we begin, we need to ensure we have the necessary certificates and keys that will be added to the KeyStore.

Step 1) Gather all certificates and keys (server.crt, server.key, intermediate-CA.crt, root-CA.crt) in one directory.

$ cd /opt/work/ssl
$ ls
intermediate-CA.crt  root-CA.crt  server.crt  server.key

Step 2) Concatenate the system ca-bundle store and the CA certificate chain (ie: intermediate-CA.crt & root-CA.crt) together.

The system CA-bundle on CentOS 7 is located in the /etc/ssl/certs directory.

If using a different distro, you will need to search for the location of the system CA-bundle.

$ cat /etc/ssl/certs/ca-bundle.crt intermediate-CA.crt root-CA.crt > ca-certs.crt
$ ls
ca-certs.crt  intermediate-CA.crt  root-CA.crt  server.crt  server.key

Step 3) Generate a PKCS12 archive using OpenSSL

The OpenSSL libraries provide a mechanism to generate a PKCS12 archive (server.p12) file which can then be imported by the Java keytool utility.

$ openssl pkcs12 -export -in server.crt \
-inkey server.key -chain -CAfile ca-certs.crt \
-name "*.domain.tld" -out server.p12
Enter Export Password:
Verifying - Enter Export Password:
$ ls
ca-certs.crt  intermediate-CA.crt  root-CA.crt  server.p12  server.crt  server.key

Step 4) Import the PKCS12 archive using the Java keytool utility

In this step, we will be creating a new Java KeyStore file (server.jks) by importing the PKCS12 archive that we created in step 3. The keytool utility will ask for the password entered in step 3.

Note: Enter export password from step 3

$ keytool -importkeystore -deststorepass changeit \
-destkeystore server.jks -srckeystore server.p12 \
-srcstoretype PKCS12
Enter source keystore password:
Entry for alias *.domain.tld successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
$ ls
ca-certs.crt  intermediate-CA.crt  root-CA.crt  server.jks  server.p12  server.crt  server.key

Step 5) Verify that the Java KeyStore file contains the SSL Certificate and RSA key

Now lets verify that the KeyStore file contains our signed certificate and Key.

Note: Enter 'deststorepass' from step 4

$ keytool -list -keystore server.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

*.domain.tld, May 4, 2019, PrivateKeyEntry,
Certificate fingerprint (MD5): 17:AB:5A:F8:D6:0F:3D:6A:B3:D5:EA:97:51:0A:DB:F9

Step 6) Validate the KeyStore certificate chain and expiration information

$ keytool -list -v -keystore server.jks | egrep "Alias|Valid|Owner"
Enter keystore password:  changeit
Alias name: *.domain.tld
Owner: CN=*.domain.tld, O="Company, Ltd.", L=New York, ST=New York, C=US
Valid from: Thu Apr 02 20:00:00 EDT 2019 until: Wed May 03 08:00:00 EDT 2020
Owner: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Valid from: Fri Mar 08 07:00:00 EST 2013 until: Wed Mar 08 07:00:00 EST 2023
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Valid from: Thu Nov 09 19:00:00 EST 2006 until: Sun Nov 09 19:00:00 EST 2031

Show Comments