1

I created a CSR file using

openssl req -nodes -newkey rsa:2048 -keyout yourdomain.key -out yourdomain.csr –sha256

It created a CSR file and a key file. I submitted the CSR file to a CA. They responded with a single yourdomain.crt a single file.

I've tried to import the yourdomain.crt to my java's cacert by:

keytool -import -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file ~/Desktop/user/yourdomain.crt -alias yourdomain

And now I am confused on how to generate a Keystore (jks file). Do I use the same yourdomain.crt? And what is the command that I should use?

My spring boot program consists of 

 File trustStoreFile = new File(CACERTS_PATH); File keyStoreFile = new File(JKS_PATH); KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keyStoreFile), KEY_PASS.toCharArray()); return SSLContextBuilder.create() .useProtocol("TLS") .loadKeyMaterial(ks, KEY_PASS.toCharArray()) .loadTrustMaterial(trustStoreFile, TRUST_PASS.toCharArray()) .build();

So I need a cacerts path which I believe is the cacerts from my jdk, and the password is the one which I typed when prompted for it.

Now how do I generate a Keystore file for it?

And do I need to add the server.ssl properties for Spring boot?

Improve this question
3

1 Answer 1

Reset to default
0

First, You have to convert yourdomain.crt to .p12 Format, to do so, write following command on openssl terminal

pkcs12 -export -in yourdomain.crt -inkey yourdomain.key -chain -CAfile rootCA.pem -name “localhost” -out my.p12

where, rootCA.pem = you have to create it, for that write following command on openssl,

step 1 : genrsa -des3 -out rootCA.key 2048 and hit enter you will get rootCA.key file. step 2 : req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

yourdomain.key = you have to create it by entering following command on openssl,

req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf

where, server.csr.cnf file contain this and inside it you can write

authorityKeyIdentifier = keyid, issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost IP.1=127.0.0.1 IP.2 = 192.168.1.XX IP.3 = 192.XXX.XX.XXX IP.4 = 192.XX.XX.XX and soon

server.csr and server.key file is created.

After following all the steps , you will get .p12 format file , now you have to convert .p12 file format to keystore.jks file format, to do so write following command on cmd (open in administration mode)

Keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

For a cert obtained from a real CA, creating your own CA is unnecessary and useless. Use the chain and optionally root cert(s) from the real CA instead.
@dave_thompson_085 I have a received a domain.crt from CA, please would you claridy with steps.
@MohendraAmatya: as in the many dupes, and the first part of Pankaj's answer, use openssl pkcs12 -export with at least the CA-provided cert and your privatekey file. For best results you should also provide the chain cert(s) supplied or specified by the CA, which vary depending on the type of cert you got and the CA you got it from; if p7b/p7c/pkcs7 format first 'unpack' with openssl pkcs7 -print_certs.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.