Menu
I want to generate a self signed trusted certificate and a csr and sign the csr with trusted certificate created. I am trying it with keytool. In the first step of creating a trusted certificate using the below command
keytool -genkey -alias mytrustCA -keyalg RSA -keystore keystore.jks -keysize 1024
where it puts the certificate into keystore. How can I store it to a file ? and when I list the contents using
keytool -list -v -keystore cert/test.keystore
Certificate created with above "genkey" command creates with entry type as "PrivateKeyEntry", how can create a trusted Cert Entry ?
516
Use the standard JDK keytool utility to generate and load a new key and a self-signed certificate. When prompted, supply the certificate and password information. Doing so protects the keystore file and the keys within in the file.
In your first command, you have used the -genkey option to generate the keystore named keystore.jks.
To export the certificate in .CER format file, you will need to use the -export option of the keytool.
An example is:
keytool -v -export -file mytrustCA.cer -keystore keystore.jks -alias mytrustCA
This will generate a file named mytrustCA.cer
To generate a certificate request to send to a CA for obtaining a signed certificate, you will need to use the -certreq option of keytool.
An example is:
keytool -v -certreq -keystore keystore.jks -alias mytrustCA
This will ask for the keystore password and on successful authentication, it will show the certificate request as given below (a sample).
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ8wDQYDVQQH
EwZNdW1iYWkxEjAQBgNVBAoTCU1pbmRzdG9ybTEUMBIGA1UECxMLRW5naW5lZXJpbmcxFDASBgNV
BAMTC1JvbWluIElyYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqOLEumwLHlzIUAPD6
Ab1pVp84mhSNCCcUKInZbSdiDYnKSr46EjEw0PtZOVPJbM4ZG3bZsOboYr0YfViJi41o4yJICFAZ
8wCQQxPK/4N8MPV7C5WDH28kRKGH/Pc2e7CxV+as573I34QmkINk7fEyERMDwP/WgmrcKZgL0sfy
ewIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAlcpjOUZFP9ixskXSA7HNlioWwjbL9f9rQskJ9rK8
kGLJ1td+mqqm20yo/JrKCzZjOMqr/aL6Zw2dkoyU34T9HnR2Bs3SgKn6wlYsYEVvVBk71Ec6PeTi
e+fhfNQEHsj4wuB4qixO3s1jtsLDy+DpTzYguszczwxXGFVNuk+y2VY=
-----END NEW CERTIFICATE REQUEST-----
You will need to send this Certificate REquest or paste it into the Digital Certificate signer webpage. Alternately, you can even redirect this output to a file instead of the console as follows:
keytool -v -certreq -keystore keystore.jks -alias mytrustCA > mycertreq.txt
This is a command line example without any interactive prompts, may be easier to use this way and document all commands in a text file.
Create JavaKeyStore file and a self-signed certificate key
keytool -genkey -alias server -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype JKS \
-keystore my.server.com.jks -storepass mypwd -keypass mypwd \
-dname "CN=my.server.com, OU=EastCoast, O=MyComp Ltd, L=New York, ST=, C=US" \
-ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
-validity 7200
keytool -keystore my.server.com.jks -storepass mypwd -list -v
You can use this keystore(.jks) file already in Tomcat but browsers give a self-signed certificate warning. Give SubjectAlternativeName extension argument with one or more dns names and optional ip address.
Create CertificateSigningRequest file
keytool -certreq -alias server -file my.server.com.csr \
-keystore my.server.com.jks -storepass mypwd \
-ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
keytool -printcertreq -file my.server.com.csr
Send .csr file to CertificateAuthority(CA) operator for signing, you should later receive a certificate(cer) file. You must give here SubjectAlternativeName extension argument second time.
Import Certificate file to a keystore
keytool -import -trustcacerts -keystore my.server.com.jks -storepass mypwd \
-alias server -file my.server.com.cer
This command pairs your private key and a public certificate with a trusted valid CA authority. Browsers should not give a certificate warning anymore.
Import intermediate CA certs
keytool.exe -importcert -trustcacerts -file SomeCA.cer -alias someca -keystore my.server.com.jks -storepass mypwd
keytool.exe -importcert -trustcacerts -file SomeCAIssuing.cer -alias somecaissuing -keystore my.server.com.jks -storepass mypwd
This imports CA issuing certificates, you may need to do this before importing your certificate file(.cer).
Your hostname certificate may have an expiration date, so once about to expire soon create a new signing request(.csr) file from the keystore, send new csr file to CA authority, import new certificate(.cer) file.
You most likely are using jks keystore in Tomcat web server so here is tomcat/conf/server.xml https connector examples.
Tomcat 9+
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000" maxThreads="150"
URIEncoding="UTF-8" useBodyEncodingForURI="true" maxHttpHeaderSize="65536"
compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="all">
<Certificate certificateKeystoreFile="my.server.com.jks" certificateKeystoreType="JKS"
certificateKeystorePassword="mypwd" certificateKeyAlias="server" />
</SSLHostConfig>
</Connector>
Tomcat8.5, if older than 8.0 you may need to drop ciphers arguments
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="300" acceptorThreadCount="2" maxThreads="400"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
compression="off" compressionMinSize="2048"
keystoreFile="my.server.com.jks" keystorePass="mypwd" keyAlias="server"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
sslEnabledProtocols="+TLSv1,+TLSv1.1,+TLSv1.2"
ciphers="
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
"
/>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
