Create keystore, truststore, and self-signed certificate using java keytool

Keytool is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.

Keytool stores the keys and certificates in a keystore. The default keystore implementation implements the keystore as a file. It protects private keys with a password. A keystore contains private keys, and the certificates with their corresponding public keys. A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity. There are various types of keystores available, including “PKCS12” and Sun’s “JKS.

The keytool is located in either your $JAVA_HOME/jre/bin directory or the directory in which you run the commands.

Right click on Command Prompt and select Run as administrator to launch the Command Prompt. If you don't have $JAVA_HOME/jre/bin on your PATH, change your location to that directory.

1. Create a new public/private key pair stored in a new keystore

Type the following command at the Command Prompt.

>keytool -genkeypair -alias mykeystore -keyalg RSA -keystore KeyStore.jks -storetype JKS -keysize 2048

Enter keystore password:
Re-enter new password:
What is your first and last name?
      [Unknown]: joysu
What is the name of your organizational unit?
      [Unknown]: ps
What is the name of your organization?
      [Unknown]: ddw
What is the name of your City or Locality?
      [Unknown]: ocoee
What is the name of your state or province?
      [Unknown]: fl
What is the two-letter country code for this unit?
      [Unknown]: us
Is CN=joysu, OU=ps, O=ddw, L=ocoee, ST=fl, C=us correct?
      [No]: yes

Enter key password for <mykeystore>.
                (RETURN if same as keystore password):

The new keystore created is KeyStore.jks. It's alias is mykeystore. By default the associated certificate is valid for 90 days. You can use the validity parameter to specify the days the certificate is valid. The above command will look like this if you want the certificate valid for 360 days.

      keytool -genkey -alias mykeystore -keyalg RSA -keystore KeyStore.jks -storetype JKS -validity 36500 -keysize 2048

To look at the information of the KeyStore.jks, type the command.

>keytool -list -keystore KeyStore.jks

Enter keystore password:

Output:

keystore type: JKS

keystore provider: SUN

Your keystore contains 1 entry

mykeystore, Jan 11, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 5D:6F:13:40:29:DA:BD:0B:5B:C1:12:90:27:C9:5D:1B:19:1C:3B:79

2. Get the certificate/Public key

If you need a certificate request file to order certificate from a CA such as VeriSign, run the following command to generate the CSR file.

>keytool -certreq -alias mykeystore -keystore KeyStore.jks -file mykeystore.csr

If you don't mind using a self-signed certificate, this command will export an self-signed X.509 certificate for you. Public key is exported in a form of certificate file which can be shared with another party.

>keytool -export -alias mykeystore -keystore KeyStore.jks -rfc -file X509_certificate.cer

Enter keystore password:

Certificate stored in file <x509_certificate.cer>

By default the certificate is in binary DER format. However, the -rfc option changes it to be in the BASE64 encoded PEM format.

You can use the following command to print the information of the certificate.

>keytool -printcert -file X509_certificate.cer

3. Create a TrustStore and Import X.509 Certificate as a Trusted Certificate

A truststore is a keystore which is used when making decisions about what to trust. An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.

>keytool -import -alias mykeystore -file X509_certificate.cer -keystore truststore -storetype JKS

Enter keystore password:

Re-enter new password:

Owner: CN=joysu, OU=ps, O=ddw, L=ocoee, ST=fl, C=us 

Isuer: CN=joysu, OU=ps, O=ddw, L=ocoee, ST=fl, C=us

Serial number: 60557ff

valid from Wed Jan 11 13:04:03 ESt 2017 until: Tue Apr 11 14:04:03 EDT 2017

Certificate fingerprints:

MD5: 64:72:97:D6:C2:79:C4:39:22:B3:DB:1C:95:AB:20:22

SHA1: 5D:6F:13:40:29:DA:BD:0B:5B:C1:12:90:27:C9:5D:1B:19:1C:3B:79

   SHA256: E3:16:4B:01:DB:6E:D1:73:A3:DE:36:9E:94:E2:84:98:00:99:DC:1D:F2:76:48:F2:1D:0B:E6:06:D4:CD:14:32

   Signature algorithm name: SHA256withRSA

   version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifiew [

0000: B3 26 1D 35 13 5F 59 4D    98 78 BD AF F0 51 CF FA   .&.5._YM.x...Q..

0010: AD D4 BB 66                      ...f

]

]

Trust this certificate? [no]: yes

Certificate was added to keystore 

Now you can use the KeyStore.jks and the keystore password to create SSLServerSocket, and use the truststore to create client SSLSocket.

-----------------------------------------------------------------------------------------------------------------

Watch the blessing and loving online channel: SupremeMasterTV live

If you have ever asked yourself these questions, this is the book for you. What is the meaning of life? Why do people suffer? What is in control of my life? Why is life the way it is? How can I stop suffering and be happy? How can I have a successful life? How can I have a life I like to have? How can I be the person I like to be? How can I be wiser and smarter? How can I have good and harmonious relations with others? Why do people meditate to achieve enlightenment? What is the true meaning of spiritual practice? Why all beings are one? Read the book for free here.

References:
1 Generating Key Store and Trust Store using Keytool
2. Java Keytool - Create Keystore