7

I want to generate a self signed trusted certificate and a csr and sign the csr with trusted certificate created. I am trying it with keytool. In the first step of creating a trusted certificate using the below command:

keytool -genkey -alias mytrustCA -keyalg RSA -keystore keystore.jks -keysize 1024

where it puts the certificate into keystore. How can I store it to a file ? and when I list the contents using:

keytool -list -v -keystore cert/test.keystore

Certificate resulted from above genkey command is created with entry type as PrivateKeyEntry, how can I create a trusted Cert Entry?

Improve this question

2 Answers 2

Reset to default
14

In your first command, you have used the -genkey option to generate the keystore named keystore.jks.

To export the certificate in .CER format file, you will need to use the -export option of the keytool.

An example is:

keytool -v -export -file mytrustCA.cer -keystore keystore.jks -alias mytrustCA

This will generate a file named mytrustCA.cer

To generate a certificate request to send to a CA for obtaining a signed certificate, you will need to use the -certreq option of keytool.

An example is:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA

This will ask for the keystore password and on successful authentication, it will show the certificate request as given below (a sample). 

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ8wDQYDVQQH EwZNdW1iYWkxEjAQBgNVBAoTCU1pbmRzdG9ybTEUMBIGA1UECxMLRW5naW5lZXJpbmcxFDASBgNV BAMTC1JvbWluIElyYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqOLEumwLHlzIUAPD6 Ab1pVp84mhSNCCcUKInZbSdiDYnKSr46EjEw0PtZOVPJbM4ZG3bZsOboYr0YfViJi41o4yJICFAZ 8wCQQxPK/4N8MPV7C5WDH28kRKGH/Pc2e7CxV+as573I34QmkINk7fEyERMDwP/WgmrcKZgL0sfy ewIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAlcpjOUZFP9ixskXSA7HNlioWwjbL9f9rQskJ9rK8 kGLJ1td+mqqm20yo/JrKCzZjOMqr/aL6Zw2dkoyU34T9HnR2Bs3SgKn6wlYsYEVvVBk71Ec6PeTi e+fhfNQEHsj4wuB4qixO3s1jtsLDy+DpTzYguszczwxXGFVNuk+y2VY= -----END NEW CERTIFICATE REQUEST-----

You will need to send this Certificate REquest or paste it into the Digital Certificate signer webpage. Alternately, you can even redirect this output to a file instead of the console as follows:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA > mycertreq.txt
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

This is a command line example without any interactive prompts, may be easier to use this way and document all commands in a text file.

Create JavaKeyStore file and a self-signed certificate key

keytool -genkey -alias server -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype JKS \ -keystore my.server.com.jks -storepass mypwd -keypass mypwd \ -dname "CN=my.server.com, OU=EastCoast, O=MyComp Ltd, L=New York, ST=, C=US" \ -ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \ -validity 7200 keytool -keystore my.server.com.jks -storepass mypwd -list -v

You can use this keystore(.jks) file already in Tomcat but browsers give a self-signed certificate warning. Give SubjectAlternativeName extension argument with one or more dns names and optional ip address.

Create CertificateSigningRequest file

keytool -certreq -alias server -file my.server.com.csr \ -keystore my.server.com.jks -storepass mypwd \ -ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \ keytool -printcertreq -file my.server.com.csr

Send .csr file to CertificateAuthority(CA) operator for signing, you should later receive a certificate(cer) file. You must give here SubjectAlternativeName extension argument second time.

Import Certificate file to a keystore

keytool -import -trustcacerts -keystore my.server.com.jks -storepass mypwd \ -alias server -file my.server.com.cer

This command pairs your private key and a public certificate with a trusted valid CA authority. Browsers should not give a certificate warning anymore.

Import intermediate CA certs

keytool.exe -importcert -trustcacerts -file SomeCA.cer -alias someca -keystore my.server.com.jks -storepass mypwd keytool.exe -importcert -trustcacerts -file SomeCAIssuing.cer -alias somecaissuing -keystore my.server.com.jks -storepass mypwd

This imports CA issuing certificates, you may need to do this before importing your certificate file(.cer).

Your hostname certificate may have an expiration date, so once about to expire soon create a new signing request(.csr) file from the keystore, send new csr file to CA authority, import new certificate(.cer) file.

You most likely are using jks keystore in Tomcat web server so here is tomcat/conf/server.xml https connector examples.

Tomcat 9+

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" maxThreads="150" URIEncoding="UTF-8" useBodyEncodingForURI="true" maxHttpHeaderSize="65536" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig protocols="all"> <Certificate certificateKeystoreFile="my.server.com.jks" certificateKeystoreType="JKS" certificateKeystorePassword="mypwd" certificateKeyAlias="server" /> </SSLHostConfig> </Connector>

Tomcat8.5, if older than 8.0 you may need to drop ciphers arguments

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" disableUploadTimeout="true" useBodyEncodingForURI="true" acceptCount="300" acceptorThreadCount="2" maxThreads="400" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" compression="off" compressionMinSize="2048" keystoreFile="my.server.com.jks" keystorePass="mypwd" keyAlias="server" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="+TLSv1,+TLSv1.1,+TLSv1.2" ciphers=" TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF " />
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.