Today I am going to demonstrate the creation of a Java KeyStore file using a Certificate signed by a well known Certificate Authority (CA). Java KeyStores are required when running Apache Tomcat based webservices as well as other Java applets that require an SSL/TLS websocket.This example is intended to show how a standard RSA/X509 certificate keypair can be stored within a Java KeyStore object.
Before we begin, we need to ensure we have the necessary certificates and keys that will be added to the KeyStore.
Step 1) Gather all certificates and keys (server.crt, server.key, intermediate-CA.crt, root-CA.crt) in one directory.
$ cd /opt/work/ssl $ ls intermediate-CA.crt root-CA.crt server.crt server.key
Step 2) Concatenate the system ca-bundle store and the CA certificate chain (ie: intermediate-CA.crt & root-CA.crt) together.
The system CA-bundle on CentOS 7 is located in the /etc/ssl/certs directory.
If using a different distro, you will need to search for the location of the system CA-bundle.
$ cat /etc/ssl/certs/ca-bundle.crt intermediate-CA.crt root-CA.crt > ca-certs.crt $ ls ca-certs.crt intermediate-CA.crt root-CA.crt server.crt server.key
Step 3) Generate a PKCS12 archive using OpenSSL
$ openssl pkcs12 -export -in server.crt \ -inkey server.key -chain -CAfile ca-certs.crt \ -name "*.domain.tld" -out server.p12 Enter Export Password: Verifying - Enter Export Password: $ ls ca-certs.crt intermediate-CA.crt root-CA.crt server.p12 server.crt server.key
Step 4) Import the PKCS12 archive using the Java keytool utility
In this step, we will be creating a new Java KeyStore file (server.jks) by importing the PKCS12 archive that we created in step 3. The keytool utility will ask for the password entered in step 3.
Note: Enter export password from step 3
$ keytool -importkeystore -deststorepass changeit \ -destkeystore server.jks -srckeystore server.p12 \ -srcstoretype PKCS12 Enter source keystore password: Entry for alias *.domain.tld successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled $ ls ca-certs.crt intermediate-CA.crt root-CA.crt server.jks server.p12 server.crt server.key
Step 5) Verify that the Java KeyStore file contains the SSL Certificate and RSA key
Now lets verify that the KeyStore file contains our signed certificate and Key.
Note: Enter 'deststorepass' from step 4
$ keytool -list -keystore server.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry *.domain.tld, May 4, 2019, PrivateKeyEntry, Certificate fingerprint (MD5): 17:AB:5A:F8:D6:0F:3D:6A:B3:D5:EA:97:51:0A:DB:F9
Step 6) Validate the KeyStore certificate chain and expiration information
$ keytool -list -v -keystore server.jks | egrep "Alias|Valid|Owner" Enter keystore password: changeit Alias name: *.domain.tld Owner: CN=*.domain.tld, O="Company, Ltd.", L=New York, ST=New York, C=US Valid from: Thu Apr 02 20:00:00 EDT 2019 until: Wed May 03 08:00:00 EDT 2020 Owner: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US Valid from: Fri Mar 08 07:00:00 EST 2013 until: Wed Mar 08 07:00:00 EST 2023 Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Valid from: Thu Nov 09 19:00:00 EST 2006 until: Sun Nov 09 19:00:00 EST 2031