Category Archives: SSL

Java Keytool and SSL

Keytool is a Java utility to manage a keystore (database) of private keys, certificate chains and trusted certificates. It is included in the Java distribution. Java Keytool stores the keys and certificates in what is called a keystore. A keystore is a password protected file that contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate (purchased SSL certificate). A single keystore can contain multiple private keys and their corresponding certificate chains.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root and intermediate certificates. Java Keytool also contains several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Keytool primer

//List keystore contents
static-202:~ Sayeed$ keytool -list -keystore abc-keystore

//Import SSL certificate into keystore. Import should be in the order: root -> intermed -> primary
static-202:~ Sayeed$ keytool -import -alias root -keystore abc-keystore -trustcacerts -file gdroot-g2.crt
static-202:~ Sayeed$ keytool -import -alias intermed -keystore abc-keystore -trustcacerts -file gdig2.crt 
static-202:~ Sayeed$ keytool -import -alias abc -keystore abc-keystore -trustcacerts -file 4af931ac9e4c59.crt 

Note: The last import i.e. your SSL certificate import should have the same alias as the private key. Only then will it be mapped with the private key which is REQUIRED.

//Delete certificate from keystore
static-202:~ Sayeed$ keytool -delete -alias "root" -keystore abc-keystore

//Convert keystore from jks to pkcs12
static-202:~ Sayeed$ keytool -importkeystore -srckeystore abc-keystore -destkeystore abc-keystore.pcks -srcstoretype jks -deststoretype pkcs12

Note: The above command doesn’t work because pkcs12 keystores are only meant for certificate-private key pairs. Root and intermediates certificates in the jks keystore cannot be exported because their private keys are absent.

//Print certificate details
static-202:~ Sayeed$ keytool -printcert -file mydomain.crt

//Export certificate from keystore
static-202:~ Sayeed$ keytool -export -alias -file mydomain.crt -keystore abc-keystore

//View certificate chain
static-202:~ Sayeed$ openssl s_client -connect -showcerts

Keytool commands for Creating and Importing

//Generate a Java keystore and key pair
static-202:~ Sayeed$ keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

//Generate a certificate signing request (CSR) for an existing Java keystore
static-202:~ Sayeed$ keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

//Import a root or intermediate CA certificate to an existing Java keystore
static-202:~ Sayeed$ keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

//Import a signed primary certificate to an existing Java keystore
static-202:~ Sayeed$ keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

//Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytool for more info)
static-202:~ Sayeed$ keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Keytool commands for Checking

//Check a stand-alone certificate
static-202:~ Sayeed$ keytool -printcert -v -file mydomain.crt

//Check which certificates are in a Java keystore
static-202:~ Sayeed$ keytool -list -v -keystore keystore.jks

//Check a particular keystore entry using an alias
static-202:~ Sayeed$ keytool -list -v -keystore keystore.jks -alias mydomain

Other Keytool commands

//Delete a certificate from a Java Keytool keystore
static-202:~ Sayeed$ keytool -delete -alias mydomain -keystore keystore.jks

//Change a Java keystore password
static-202:~ Sayeed$ keytool -storepasswd -new new_storepass -keystore keystore.jks

//Export a certificate from a keystore
static-202:~ Sayeed$ keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

//List Trusted CA Certs
static-202:~ Sayeed$ keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

//Import New CA into Trusted Certs
static-202:~ Sayeed$ keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Some Helpful OpenSSL commands (openssl installation required)

//Check csr
static-202:~ Sayeed$ openssl req -text -noout -verify -in abc.csr 

//Check certificate
static-202:~ Sayeed$ openssl x509 -in 4af931ac9e4c59.crt -text -noout 

For more information, check out the Java Keytool documentation.