Putting an SSL Certificate in a Java KeyStore

Software required: OpenSSL, a Oracle Java JDK (or OpenJDK) for keytool. IBM's Java will not work with this.

This example creates a keystore file for a server called "java.cs.iastate.edu". For clarity, all files start with this hostname, but it isn't necessary. Java wouldn't care if they where called java-cs-iastate-edu* or sparkling-vampires*; it should find the proper certificate using the "common name" (and, if exists, "alt-dns" values).

Create a new key
openssl genrsa -out java-cs-iastate-edu.key 4096

Create a certificate signing request
Need to support multiple DNS names? Create a custom openssl.conf and specify the additional values with "subjectAltName".
openssl req -new -key java-cs-iastate-edu.key -out java-cs-iastate-edu.csr

Send to the certification authority for signing.
When signed, the signed cert is downloaded as java-cs-iastate-edu.crt, and the cert chain is saved as java-cs-iastate-edu.chain.crt.

Finally, to create the actual Java KeyStore:

  1. Change the x509 certificate to PFX using OpenSSL
    openssl pkcs12 -export -out java-cs-iastate-edu.pfx -in java-cs-iastate-edu.crt -inkey java-cs-iastate-edu.key -name java-cs-iastate-edu -CAfile java-cs-iastate-edu.chain.crt -noiter -nomaciter

    Important note: You must set a password on the PFX file or keytool will fail to import.
     
  2. Import the PFX file to a new Java KeyStore file
    keytool -importkeystore -srckeystore java-cs-iastate-edu.pfx -srcstoretype pkcs12 -destkeystore java-cs-iastate-edu.jks -deststoretype JKS
     
  3. Done
    The new java-cs-iastate-edu.jks file is ready for use.

You can check the contents of a Java KeyStore file using the keytool command:
keytool -list -v -keystore java-cs-iastate-edu.jks