Java's keytool

Russell Bateman
July 2022
last update:

While this is about creating artifacts that are put into a Java keystore and truststore, most of the work is done using openssl (though much of that could probably be done using keytool).

Useful link: The keytool command.

Table of contents

Artifacts we'll be creating

You'll find these accumulating in the current working directory as you follow these steps.

Server
keystore
Server
truststore
User
keystore
server.key trust.key user.key
user.csr
server.crt trust.crt user.crt
server.pkcs12 user.pkcs12
trust.jks

Make a server keystore

  1. Create an RSA key.
    $ openssl genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus ...
    
  2. Check filesystem for key.
    $ ll server.key
    -rw------- 1 russ russ 1675 Jul 27 11:21 server.key
    
  3. Create an x.509 certificate using the public portion of the RSA key.
    $ openssl req -new -x509 -days 365 -key server.key -out server.crt -subj "/CN=localhost/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
    $ ll server.crt
    -rw-rw-r-- 1 russ russ 1294 Jul 27 11:23 server.crt
    
  4. Verify the certificate.
    $ openssl x509 -in server.crt -text
    Certificate:
    ...
    
  5. Create a PKCS12 keystore containing the RSA key and the certificate.
    $ openssl pkcs12 -export -out server.pkcs12 -password pass:changeit -inkey server.key -in server.crt
    
  6. Verify the keystore.
    $ openssl pkcs12 -info -noout -in server.pkcs12
    Enter Import Password:
    ...
    $ ll
    -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
    -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
    -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
    

Make a server trust store

  1. Create an RSA key.
    $ openssl genrsa -out trust.key 2048
    Generating RSA private key, 2048 bit long modulus ...
    
  2. Check filesystem for key.
    $ ll trust.key
    -rw------- 1 russ russ 1679 Jul 27 11:26 trust.key
    
  3. Create an x.509 certificate using the public portion of the RSA key.
    $ openssl req -new -x509 -days 365 -key trust.key -out trust.crt -subj "/CN=windofkeltia.com/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
    $ ll trust.crt
    -rw-rw-r-- 1 russ russ 1314 Jul 27 11:28 trust.crt
    
  4. Verify the certificate.
    $ openssl x509 -in trust.crt -text
    Certificate:
    ...
    
  5. Create a JKS keystore containing the trust certificate.
    $ keytool -importcert -alias tomcat -file trust.crt
    -keystore trust.jks -storepass changeit
    Owner: C=US, ST=UT, L=Provo, O=Wind of Keltia, CN=windofkeltia.com
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    $ ll trust.jks
    -rw-rw-r-- 1 russ russ 1287 Jul 27 11:35 trust.jks
    
  6. Verify the JKS keystore.
    $ keytool -list -v -keystore trust.jks -storepass changeit
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    ...
    

Make a user keystore

  1. Create an RSA key.
    $ openssl genrsa -out user.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...
    $ ll user.key
    -rw------- 1 russ russ 1675 Jul 27 11:41 user.key
    
  2. Create certificate signing request.
    $ openssl req -out user.csr -key user.key -new -subj "/CN=windofkeltia.com/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
    $ ll user.csr
    -rw-rw-r-- 1 russ russ 993 Jul 27 11:43 user.csr
    
  3. Verify the certificate request.
    $ cat user.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIICozCCAYsCAQAwXjEZMBcGA1UEAwwQd2luZG9ma2VsdGlhLmNvbTEXMBUGA1UE
    ...
    
  4. Sign the certificate request (server).
    $ ll
    -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
    -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
    -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
    -rw-rw-r--  1 russ russ  1314 Jul 27 11:28 trust.crt
    -rw-rw-r--  1 russ russ  1287 Jul 27 11:35 trust.jks
    -rw-------  1 russ russ  1679 Jul 27 11:26 trust.key
    -rw-rw-r--  1 russ russ   993 Jul 27 11:43 user.csr
    -rw-------  1 russ russ  1675 Jul 27 11:41 user.key
    $ openssl x509 -req -days 365 -in user.csr -CA trust.crt -CAkey trust.key -CAcreateserial -out user.crt
    Signature ok
    subject=CN = windofkeltia.com, O = Wind of Keltia, L = Provo, ST = UT, C = US
    Getting CA Private Key
    $ ll user.crt
    -rw-rw-r--  1 russ russ  1192 Jul 27 13:23 user.crt
    
  5. Verify the certificate (user).
    $ openssl x509 -in user.crt -text
    Certificate:
    ...
    
  6. Create a PKCS12 keystore containing the RSA key and the signed certificate.
    $ openssl pkcs12 -export -inkey user.key -in user.crt -out user.pkcs12 -password pass:changeit
    $ ll
    -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
    -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
    -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
    -rw-rw-r--  1 russ russ  1314 Jul 27 11:28 trust.crt
    -rw-rw-r--  1 russ russ  1287 Jul 27 11:35 trust.jks
    -rw-------  1 russ russ  1679 Jul 27 11:26 trust.key
    -rw-rw-r--  1 russ russ    41 Jul 27 13:23 trust.srl*
    -rw-rw-r--  1 russ russ  1192 Jul 27 13:23 user.crt
    -rw-rw-r--  1 russ russ   993 Jul 27 11:43 user.csr
    -rw-------  1 russ russ  1675 Jul 27 11:41 user.key
    -rw-------  1 russ russ  2437 Jul 27 13:27 user.pkcs12
    
  7. Verify the keystore.
    $ openssl pkcs12 -info -noout -in user.pkcs12 -password pass:changeit
    MAC: sha1, Iteration 2048
    MAC length: 20, salt length: 8
    PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
    Certificate bag
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
    

* An SRL file, security certificate serial number, contains a serial number generated while signing an OpenSSL certificate and is used to identify a signed certificate uniquely. Its generation is the result of option -CAcreateserial.

When a user creates his first OpenSSL certificate, he uses the -CAcreateserial option to create the SRL file, then, for a subsequent certificate, the -CAserial option plus path to the file for creating, beside the new certificate, a new SRL file containing an incremented serial number. This file's contents are hexadecimal.

Links


Step by Step guide to Enable HTTPS or SSL correct way on Apache Tomcat Server—Port 8443

See Step by Step guide to Enable HTTPS or SSL correct way on Apache Tomcat Server—Port 8443.

Also check out How to generate a self-signed certificate.