I'm taking over an existing project where I have keys/certs (root and intermediate CA) that were created with openssl. I was told to try to use keytool to generate client certs for client authentication for SSL in Java.
I am not a crypto person so this is all pretty new, but I've used Bouncy Castle in this poc that generates client certs correctly in that a client can authenticate with our service and an SSL connection is established.
public X509Certificate buildEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert, String clientName) throws Exception { String name = "CN=Test"; X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder( caCert.getSubjectX500Principal(), BigInteger.ONE, new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), new X500Principal(name), entityKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey)) .addExtension(Extension.basicConstraints, false, new BasicConstraints(false)) .addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation)) .addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caKey); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer)); } I call this method with the intermediateCredential I load on startup for the caKey and caCert parameters. Is there a similar way I can do this with keytool?
If there is not a command or set of commands that I can do to accomplish this, is there an even way to do this? Like create a new truststore, import those certs, and then create new certs from that truststore acting as a CA?
