Java's keytool

Artifacts we'll be creating

You'll find these accumulating in the current working directory as you follow these steps.

Make a server keystore

1. Create an RSA key.

   $ openssl genrsa -out server.key 2048
   Generating RSA private key, 2048 bit long modulus ...
   

2. Check filesystem for key.

   $ ll server.key
   -rw------- 1 russ russ 1675 Jul 27 11:21 server.key
   

3. Create an x.509 certificate using the public portion of the RSA key.

   $ openssl req -new -x509 -days 365 -key server.key -out server.crt -subj "/CN=localhost/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
   $ ll server.crt
   -rw-rw-r-- 1 russ russ 1294 Jul 27 11:23 server.crt
   

4. Verify the certificate.

   $ openssl x509 -in server.crt -text
   Certificate:
   ...
   

5. Create a PKCS12 keystore containing the RSA key and the certificate.

   $ openssl pkcs12 -export -out server.pkcs12 -password pass:changeit -inkey server.key -in server.crt
   

6. Verify the keystore.

   $ openssl pkcs12 -info -noout -in server.pkcs12
   Enter Import Password:
   ...
   $ ll
   -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
   -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
   -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
   

Make a server trust store

1. Create an RSA key.

   $ openssl genrsa -out trust.key 2048
   Generating RSA private key, 2048 bit long modulus ...
   

2. Check filesystem for key.

   $ ll trust.key
   -rw------- 1 russ russ 1679 Jul 27 11:26 trust.key
   

3. Create an x.509 certificate using the public portion of the RSA key.

   $ openssl req -new -x509 -days 365 -key trust.key -out trust.crt -subj "/CN=windofkeltia.com/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
   $ ll trust.crt
   -rw-rw-r-- 1 russ russ 1314 Jul 27 11:28 trust.crt
   

4. Verify the certificate.

   $ openssl x509 -in trust.crt -text
   Certificate:
   ...
   

5. Create a JKS keystore containing the trust certificate.

   $ keytool -importcert -alias tomcat -file trust.crt
   -keystore trust.jks -storepass changeit
   Owner: C=US, ST=UT, L=Provo, O=Wind of Keltia, CN=windofkeltia.com
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   $ ll trust.jks
   -rw-rw-r-- 1 russ russ 1287 Jul 27 11:35 trust.jks
   

6. Verify the JKS keystore.

   $ keytool -list -v -keystore trust.jks -storepass changeit
   Keystore type: PKCS12
   Keystore provider: SUN
   
   Your keystore contains 1 entry
   ...
   

Make a user keystore

1. Create an RSA key.

   $ openssl genrsa -out user.key 2048
   Generating RSA private key, 2048 bit long modulus
   ...
   $ ll user.key
   -rw------- 1 russ russ 1675 Jul 27 11:41 user.key
   

2. Create certificate signing request.

   $ openssl req -out user.csr -key user.key -new -subj "/CN=windofkeltia.com/O=Wind of Keltia/L=Provo/ST=UT/C=US/"
   $ ll user.csr
   -rw-rw-r-- 1 russ russ 993 Jul 27 11:43 user.csr
   

3. Verify the certificate request.

   $ cat user.csr
   -----BEGIN CERTIFICATE REQUEST-----
   MIICozCCAYsCAQAwXjEZMBcGA1UEAwwQd2luZG9ma2VsdGlhLmNvbTEXMBUGA1UE
   ...
   

4. Sign the certificate request (server).

   $ ll
   -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
   -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
   -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
   -rw-rw-r--  1 russ russ  1314 Jul 27 11:28 trust.crt
   -rw-rw-r--  1 russ russ  1287 Jul 27 11:35 trust.jks
   -rw-------  1 russ russ  1679 Jul 27 11:26 trust.key
   -rw-rw-r--  1 russ russ   993 Jul 27 11:43 user.csr
   -rw-------  1 russ russ  1675 Jul 27 11:41 user.key
   $ openssl x509 -req -days 365 -in user.csr -CA trust.crt -CAkey trust.key -CAcreateserial -out user.crt
   Signature ok
   subject=CN = windofkeltia.com, O = Wind of Keltia, L = Provo, ST = UT, C = US
   Getting CA Private Key
   $ ll user.crt
   -rw-rw-r--  1 russ russ  1192 Jul 27 13:23 user.crt
   

5. Verify the certificate (user).

   $ openssl x509 -in user.crt -text
   Certificate:
   ...
   

6. Create a PKCS12 keystore containing the RSA key and the signed certificate.

   $ openssl pkcs12 -export -inkey user.key -in user.crt -out user.pkcs12 -password pass:changeit
   $ ll
   -rw-rw-r--  1 russ russ  1294 Jul 27 11:23 server.crt
   -rw-------  1 russ russ  1675 Jul 27 11:21 server.key
   -rw-------  1 russ russ  2517 Jul 27 11:25 server.pkcs12
   -rw-rw-r--  1 russ russ  1314 Jul 27 11:28 trust.crt
   -rw-rw-r--  1 russ russ  1287 Jul 27 11:35 trust.jks
   -rw-------  1 russ russ  1679 Jul 27 11:26 trust.key
   -rw-rw-r--  1 russ russ    41 Jul 27 13:23 trust.srl*
   -rw-rw-r--  1 russ russ  1192 Jul 27 13:23 user.crt
   -rw-rw-r--  1 russ russ   993 Jul 27 11:43 user.csr
   -rw-------  1 russ russ  1675 Jul 27 11:41 user.key
   -rw-------  1 russ russ  2437 Jul 27 13:27 user.pkcs12
   

7. Verify the keystore.

   $ openssl pkcs12 -info -noout -in user.pkcs12 -password pass:changeit
   MAC: sha1, Iteration 2048
   MAC length: 20, salt length: 8
   PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
   Certificate bag
   PKCS7 Data
   Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
   

^* An SRL file, security certificate serial number, contains a serial number generated while signing an OpenSSL certificate and is used to identify a signed certificate uniquely. Its generation is the result of option -CAcreateserial.

When a user creates his first OpenSSL certificate, he uses the -CAcreateserial option to create the SRL file, then, for a subsequent certificate, the -CAserial option plus path to the file for creating, beside the new certificate, a new SRL file containing an incremented serial number. This file's contents are hexadecimal.

Links