Java Keystore and Certificates
- Notice: Fedora uses /etc/pki/tls instead of /etc/ssl for the certificates.
Java offers a tool to generate certificates: keytool. Sometimes it’s necessary to store some certificates in a keystore (especially for uses by Java applications), and this tool is the way to go. These notes are not detailed as I wished, and I’ll complete them the next time I need to use this tool.
Java keystore: our.keystore
Generate a private key
cd /etc/ssl/private
keytool -genkey -keyalg rsa -keystore our.keystore -alias $CERT
keytool -genkey -keyalg rsa -keystore our.keystore -alias $CERT
Generate a certificate request
keytool -certreq -alias $CERT -keystore our.keystore -file ../certs/$CERT.req
Notice: If not already done, import the CA certificate into the keystore:
keytool -import -alias certsign -file ../certs/certsign.crt -keystore our.keystore
Answer "yes" to trust this certificate
Answer "yes" to trust this certificate
CertSign signs / issues the certificate
Send the .req file to /etc/ssl/certs and generate the .crt file:
openssl x509 -req -days 9125 -sha1 \
-extfile /etc/ssl/openssl.cnf -extensions v3_req \
-CA /etc/ssl/certs/certsign.crt -CAkey /etc/ssl/private/certsign.key \
-CAserial /etc/ssl/certsign.srl -CAcreateserial \
-in /etc/ssl/certs/$CERT.req -out /etc/ssl/certs/$CERT.crt
-extfile /etc/ssl/openssl.cnf -extensions v3_req \
-CA /etc/ssl/certs/certsign.crt -CAkey /etc/ssl/private/certsign.key \
-CAserial /etc/ssl/certsign.srl -CAcreateserial \
-in /etc/ssl/certs/$CERT.req -out /etc/ssl/certs/$CERT.crt
Send the .crt file back and add it to keystore:
keytool -import -alias $CERT -file ../certs/$CERT.crt -keystore our.keystore
Read further: http://www.startux.de/index.php/component/content/article/25-java/44-dealing-with-java-keystores
Add new comment