LibraryLink ToToggle FramesPrintFeedback
Prev   Next

Use the CA to Create Signed Certificates in a Java Keystore

Substeps to perform

To create and sign a certificate in a Java keystore (JKS), CertName.jks, perform the following substeps:

  1. Add the Java bin directory to your PATH

  2. Generate a certificate and private key pair

  3. Create a certificate signing request

  4. Sign the CSR

  5. Convert to PEM format

  6. Concatenate the files

  7. Update keystore with the full certificate chain

  8. Repeat steps as required

Add the Java bin directory to your PATH

If you have not already done so, add the Java bin directory to your path:

Windows 

> set PATH=JAVA_HOME\bin;%PATH%

UNIX 

% PATH=JAVA_HOME/bin:$PATH; export PATH

This step makes the keytool utility available from the command line.

Generate a certificate and private key pair

Open a command prompt and change directory to KeystoreDir. Enter the following command:

keytool -genkey -dname "CN=Alice, OU=Engineering, O=IONA Technologies PLC, ST=Co. Dublin, C=IE" -validity 365 -alias CertAlias -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This keytool command, invoked with the -genkey option, generates an X.509 certificate and a matching private key. The certificate and key are both placed in a key entry in a newly created keystore, CertName.jks. Because the specified keystore, CertName.jks, did not exist before issuing the command, keytool implicitly creates a new keystore.

The -dname and -validity flags define the contents of the newly created X.509 certificate, specifying the subject DN and days before expiration respectively. For more details about DN format, see Appendix A .

Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file requires the following entries to match:

  • Country Name (C)

  • State or Province Name (ST)

  • Organization Name (O)

[Note]Note

If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate (see Sign the CSR ).

Create a certificate signing request

Create a new certificate signing request (CSR) for the CertName.jks certificate:

keytool -certreq -alias CertAlias -file CertName_csr.pem -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This command exports a CSR to the file, CertName_csr.pem.

Sign the CSR

Sign the CSR using your CA:

openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem

To sign the certificate successfully, you must enter the CA private key pass phrase—see Set Up Your Own CA .

[Note]Note

If you want to sign the CSR using a CA certificate other than the default CA, use the -cert and -keyfile options to specify the CA certificate and its private key file, respectively.

Convert to PEM format

Convert the signed certificate, CertName.pem, to PEM only format:

openssl x509 -in CertName.pem -out CertName.pem -outform PEM

Concatenate the files

Concatenate the CA certificate file and CertName.pem certificate file, as follows:

Windows 

copy CertName.pem + X509CA\ca\new_ca.pem CertName.chain

UNIX

cat CertName.pem X509CA/ca/new_ca.pem > CertName.chain

Update keystore with the full certificate chain

Update the keystore, CertName.jks, by importing the full certificate chain for the certificate:

keytool -import -file CertName.chain -keypass CertPassword -keystore CertName.jks -storepass CertPassword

Repeat steps as required

Repeat steps 2 to 7, creating a complete set of certificates for your system.

Prev Up Next
 Home