2

I have generated with OpenSSL self signed certificates:

Root CA: cacert.crt (the root CA certificate), and root_key.pem (for root private key).

Client: client_cert.crt (the client certificate), and client_key.pem (for private key).

Server: server_cert.crt (the server certificate), and server_key.pem (for private key).

Both client and server certificates are signed with the root key.

As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.

My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys

Improve this question
2
  • This isn't programming or development, but for CA-issued certs each side's truststore should contain the root CA cert NOT the peer's cert; only for a self-signed cert need the peer cert be in the truststore. However each side's keystore should contain its own privatekey AND cert AND the CA cert(s) (aka chain). You can't do that with keytool, you must use OpenSSL or something like keystore-explorer; there are many answers about each -- although only some are updated to reflect an issue with new OpenSSL but older Java, see (my) stackoverflow.com/questions/72412346 . Commented Feb 8, 2023 at 17:27
  • It is not programming question but it is directly linked to programming/tests if you write code that handles SSL you will need to test it. Commented Feb 9, 2023 at 8:48

1 Answer 1

Reset to default
1

After some research, I found the following steps:

For client keystore:

openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt

For client truststore:

keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore

For server keystore:

openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt SET PASSWORD=MyPassword keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%

For server truststore:

keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore keytool -import -file client_cert.crt -alias client -keystore ServerTruststore

I tested it with a very simple SSL Client/Server by running the program:

java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar

It is working fine. Any suggestions of improvements are welcomed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.