Software required: OpenSSL, a Oracle Java JDK (or OpenJDK) for keytool. IBM's Java will not work with this.
This example creates a keystore file for a server called "java.cs.iastate.edu". For clarity, all files start with this hostname, but it isn't necessary. Java wouldn't care if they where called java-cs-iastate-edu* or sparkling-vampires*; it should find the proper certificate using the "common name" (and, if exists, "alt-dns" values).
Create a new key
openssl genrsa -out java-cs-iastate-edu.key 4096
Create a certificate signing request
Need to support multiple DNS names? Create a custom openssl.conf and specify the additional values with "subjectAltName".
openssl req -new -key java-cs-iastate-edu.key -out java-cs-iastate-edu.csr
Send to the certification authority for signing.
When signed, the signed cert is downloaded as java-cs-iastate-edu.crt, and the cert chain is saved as java-cs-iastate-edu.chain.crt.
Finally, to create the actual Java KeyStore:
- Change the x509 certificate to PFX using OpenSSL
openssl pkcs12 -export -out java-cs-iastate-edu.pfx -in java-cs-iastate-edu.crt -inkey java-cs-iastate-edu.key -name java-cs-iastate-edu -CAfile java-cs-iastate-edu.chain.crt -noiter -nomaciter
Important note: You must set a password on the PFX file or keytool will fail to import.
- Import the PFX file to a new Java KeyStore file
keytool -importkeystore -srckeystore java-cs-iastate-edu.pfx -srcstoretype pkcs12 -destkeystore java-cs-iastate-edu.jks -deststoretype JKS
- Done
The new java-cs-iastate-edu.jks file is ready for use.
You can check the contents of a Java KeyStore file using the keytool command:
keytool -list -v -keystore java-cs-iastate-edu.jks