Keytool Utility:
Dec 31, 2018 Keytool Utility: Keytool is a key and certificate management JDK utility which helps in managing a keystore of private/public keys and associated certificates. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself. F5 load balancers generate.crt and.key files, which has to be converted to a.jks keystore to configure it with Weblogic Server. Here.crt is the signed certificate from a CA and.key contains the private key. These are in PEM format. Step 1: Copy the crt contents to a notepad and save this file. Creating a KeyStore in JKS Format. This section explains how to create a KeyStore using the JKS format as the database format for both the private key, and the associated certificate or certificate chain. By default, as specified in the java.security file, keytool uses JKS as the format of the key and certificate databases (KeyStore. Jan 09, 2017 JKS file is a Java keystore. Using the Java keytool program, run the following commands Export the.der file keytool -export -alias sample -file sample.der -keystore my.jks Convert the.der file to unencrypted PEM (crt file) openssl x509 -inform der -in sample.der -out sample.crt Export the.p12 file keytool -importkeystore -srckeystore my.jks -destkeystore keystore.p12 -deststoretype PKCS12. It shown how to create crt from jks keystore file in Chrome on Windows: go to the url in browser that's uses jks with the red line and there will be a lock symbol to the left. By clicking on the not secure part, information dialog opens up. Click on certificate (invalid) and when it opens click on Details. Press on copy to file. And follow instruction.
Keytool is a key and certificate management JDK utility which helps in managing a keystore of private/public keys and associated certificates. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
Keytool View Jks
Java Keytool stores the keys and certificates in what is called a keystore. Java keystore is implemented as a file by default. It protects private keys with a password.
keytool also enables users to administer secret keys used in symmetric encryption/decryption (e.g. RSA,DES).
A Keytool keystore contains the private key and any certificatesnecessary to complete a chain of trust and establish the trustworthiness of the primary certificate.
All certificates in a Java keystore is associated with a unique alias. Which will be used as a pointer to later perform any of the keytool operation to import/export/delete/change certificates/key etc.
Keytool Options:
The various keytool options are listed below
KEYTOOL OPTIONS | DESCRIPTION |
-delete | Deletes an entry from the Keystore |
-exportcert | Exports a certificate from a Keystore |
-genkeypair | Generates a key pair |
-genseckey | Generates a secret key pair |
-gencert | Generates a certificate from a certificate request |
-importcert | Import a certificate or a certificate chain to keystore |
-importpass | Imports a password |
-importkeystore | Imports one or all entries from another keystore to a keystore |
-keypasswd | Changes the key password of an entry in keystore |
-list | Lists entries in a keystore |
-printcert | Prints the content of a certificate |
-printcertreq | Prints the content of a certificate request |
-printcrl | Prints the content of a CRL file |
-storepasswd | Changes the store password of a keystore |
Various Steps to process the Keystore , CSR and the signed certificate.
Create a keystore which contains private key
Generate a CSR (Certificate Signing Request) from keystore
Generate Signed Primary/Server Certificate from Certificate Authority
Import the Primary/Server certificate, root and intermediate CA certificates to keystore.
Share the certificate or root certificates to system which use the SSL to communicate to your system/application.
Create a keystore using Keytool:
While we create a Java keystore we will first create the .jks file that will initially only contain the private key using keytool utility.
-alias is an option to mention an Alias Name to your key entry
-keyalgspecifies the algorithm to be used to generate the key pair
Generate Jks From Pfx File
-keysizespecifies the size of each key to be generated.
-sigalg specifies the algorithm that should be used to sign the self-signed certificate; this algorithm must be compatible with keyalg.
–validityspecifies the validity of the keystore which you want to create.
When you execute the command we will be prompted with question which we need answer to add as the key details such as Common Name(website/Application dns name), Organisation, Country,State, province, Country code etc. This is user defined values. Also it will be prompt you to enter keystore and key password which should be used in future to read/write/modify the keystore.
As the keystore name is mentioned keystore.jks while creating keystore.jks file will be created in the current folder.
Use below command to list the entries in keystore to view the content. We will be able to see the entered values reflected on the private key entries on the keystore.jks file.
Generate a CSR (Certificate Signing Request) from keystore:
Next step is to create a Certificate Signing Request(CSR) from the created keystore to share with Certificate Authority(CA) to sign and generate the Primary/Server certificate.
We need to pass the correct alias name and password which we mentioned during the creation of the keystore to extract the certificate request.
Generate Signed Primary/Server Certificate from Certificate Authority
Submit the generated CSR to any of the CA authority which is supported by the SSL community to get the signed the Primary/Server certificate. The CA authority will be selected based on the organisations or your personnel selection.
Top 10 Certificate Authority in the world (Info based on 2017 from wikipedia)
Rank | Issuer |
1 | Comodo |
2 | IdenTrust |
3 | Symantec |
4 | GoDaddy |
5 | GlobalSign |
6 | DigiCert |
7 | Certum |
8 | Entrust |
9 | Secom |
10 | Actalis |
Import the Primary/Server certificate, root and intermediate CA certificates to keystore
Once the CA signed the certificate and share it with us, we need to import the certificate to the keystore for the privatekey entry we created.
Below keytool commands can be used to import the signed certificate to keystore, we should use the alias name same as the alias name on the private key entry.
Second one is optional using -trustcacerts.
If the –trustcacerts option has been specified, additional certificates are considered for the chain of trust, namely the certificates in a file named “cacerts”
If the alias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If the alias does already exist, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate.
If the alias points to a key entry, then keytool assumes you are importing a certificate reply.
The old chain can only be replaced if a valid keypass, the password used to protect the private key of the entry, is supplied. If no password is provided, and the private key password is different from the keystore password, the user will be prompted for it.
Generate Jks Keystore
Import a root or intermediate CA certificate to an existing Java keystore
entrust(CA) is used as an example, File will be different and supplied by the Certificate Authority(CA) based on your CA.
To View/List the certificate we have added below command can be used
Share the certificate or root certificates to system which use the SSL to communicate to your system/application.
As you have created a new Private/Public key for you DNS name we need to share the certificate with any of the interfacing applications (Not Browser as it will be having CA root/intermediate on its list).
Important commands for keytool which can be used while create/import/export/delete/change certificate in a keystore.
- Generate a Java keystore and key pair:
- Generate a certificate signing request (CSR) for an existing Java keystore:
- Generate a keystore and self-signed certificate:
- View/List the certificate we have added below command can be used
- Import a root or intermediate CA certificate to an existing Java keystore
- Delete a certificate from a Java Keytool keystore
- Change a Java keystore password
Import Pfx To Jks Keystore
- Export a certificate from a keystore
To Use keytool to Create a ServerCertificate
Run keytool to generate a new key pair in the defaultdevelopment keystore file, keystore.jks. This exampleuses the alias server-alias to generate a new public/privatekey pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated by using an algorithm oftype RSA, with a default password of changeit. For moreinformation and other examples of creating and managing keystore files, readthe keytool online help at http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.
Note – RSA is public-key encryption technology developed by RSA DataSecurity, Inc.
From the directory in which you want to create the key pair, run keytool as shown in the following steps.
- Generate the server certificate.Type the keytool command all on one line:When you press Enter, keytool prompts you to enterthe server name, organizational unit, organization, locality, state, and countrycode.You must type the server name in response to keytool’sfirst prompt, in which it asks for first and last names. For testing purposes,this can be localhost.When you run the example applications, the host (server name) specifiedin the keystore must match the host identified in the javaee.server.name property specified in the file tut-install/examples/bp-project/build.properties.
- Export the generated server certificate in keystore.jks intothe file server.cer.Type the keytool commandall on one line:
- If you want to have the certificate signed by a CA, read the exampleat http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.
- To add the server certificate to the truststore file, cacerts.jks, run keytool from the directory where you createdthe keystore and server certificate.Use the following parameters:Information on the certificate, such as that shown next, will appear:
- Type yes, then press the Enter or Return key.The following information appears: