How to create a certificate chain using keytool?

Question

I want to create certificate chain in java as follows:

ca.mycompany.com
|--asia.mycompany.com
   |--india.mycompany.com

where ca.mycompany.com is a root certificate (self signed).

I know this is possible with OpenSSL. But is it possible to to achieve this with keytool?

If not, can I achieve this with Mozilla NSS library?

Answer 1

There is an example in the keytool documentation that shows how to do this:

keytool -genkeypair -keystore root.jks -alias root -ext bc:c
keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c
keytool -genkeypair -keystore server.jks -alias server

keytool -keystore root.jks -alias root -exportcert -rfc > root.pem
keytool -storepass <storepass> -keystore ca.jks -certreq -alias ca | keytool -storepass <storepass> -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem

cat root.pem ca.pem > cachain.pem
keytool -keystore ca.jks -importcert -alias ca -file cachain.pem

keytool -storepass <storepass> -keystore server.jks -certreq -alias server | keytool -storepass <storepass> -keystore ca.jks -gencert -alias ca -ext ku:c=dig,keyEncipherment -rfc > server.pem
cat root.pem ca.pem server.pem > serverchain.pem
keytool -keystore server.jks -importcert -alias server -file serverchain.pem

You can also generate certificate chains pretty easily with KeyStore Explorer:

1. Create a new key pair, which implies creating a self-signed certificate (the root CA).
2. Right click on root CA certificate and select "Sign New Key Pair", this creates the sub CA certificate and key pair.
3. Right click on sub CA certificate and select "Sign New Key Pair" again.

The resulting chain:

Answer 2

This is a perfect tutorial which help you go though the process of creating certificate chain using keytool. Basically, the process is you need to sign the certificate with the keys from CA and then install the certificate to the keystore you create.