7

I want to generate a self signed trusted certificate and a csr and sign the csr with trusted certificate created. I am trying it with keytool. In the first step of creating a trusted certificate using the below command

keytool -genkey -alias mytrustCA -keyalg RSA -keystore keystore.jks -keysize 1024

where it puts the certificate into keystore. How can I store it to a file ? and when I list the contents using

keytool -list -v -keystore cert/test.keystore

Certificate created with above "genkey" command creates with entry type as "PrivateKeyEntry", how can create a trusted Cert Entry ?

Lolly
  • 34,250
  • 42
  • 115
  • 150

2 Answers2

12

In your first command, you have used the -genkey option to generate the keystore named keystore.jks.

To export the certificate in .CER format file, you will need to use the -export option of the keytool.

An example is:

keytool -v -export -file mytrustCA.cer -keystore keystore.jks -alias mytrustCA

This will generate a file named mytrustCA.cer

To generate a certificate request to send to a CA for obtaining a signed certificate, you will need to use the -certreq option of keytool.

An example is:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA

This will ask for the keystore password and on successful authentication, it will show the certificate request as given below (a sample). 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ8wDQYDVQQH
EwZNdW1iYWkxEjAQBgNVBAoTCU1pbmRzdG9ybTEUMBIGA1UECxMLRW5naW5lZXJpbmcxFDASBgNV
BAMTC1JvbWluIElyYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqOLEumwLHlzIUAPD6
Ab1pVp84mhSNCCcUKInZbSdiDYnKSr46EjEw0PtZOVPJbM4ZG3bZsOboYr0YfViJi41o4yJICFAZ
8wCQQxPK/4N8MPV7C5WDH28kRKGH/Pc2e7CxV+as573I34QmkINk7fEyERMDwP/WgmrcKZgL0sfy
ewIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAlcpjOUZFP9ixskXSA7HNlioWwjbL9f9rQskJ9rK8
kGLJ1td+mqqm20yo/JrKCzZjOMqr/aL6Zw2dkoyU34T9HnR2Bs3SgKn6wlYsYEVvVBk71Ec6PeTi
e+fhfNQEHsj4wuB4qixO3s1jtsLDy+DpTzYguszczwxXGFVNuk+y2VY=
-----END NEW CERTIFICATE REQUEST-----

You will need to send this Certificate REquest or paste it into the Digital Certificate signer webpage. Alternately, you can even redirect this output to a file instead of the console as follows:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA > mycertreq.txt
Romin
  • 8,708
  • 2
  • 24
  • 28
2

This is a command line example without any interactive prompts, may be easier to use this way and document all commands in a text file.

Create JavaKeyStore file and a self-signed certificate key

keytool -genkey -alias server -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype JKS \
  -keystore     my.server.com.jks -storepass mypwd -keypass mypwd \
  -dname    "CN=my.server.com, OU=EastCoast, O=MyComp Ltd, L=New York, ST=, C=US" \
  -ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
  -validity 7200
keytool -keystore my.server.com.jks -storepass mypwd -list -v

You can use this keystore(.jks) file already in Tomcat but browsers give a self-signed certificate warning. Give SubjectAlternativeName extension argument with one or more dns names and optional ip address.

Create CertificateSigningRequest file

keytool -certreq -alias server -file my.server.com.csr \
  -keystore my.server.com.jks -storepass mypwd \
  -ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
keytool -printcertreq -file my.server.com.csr

Send .csr file to CertificateAuthority(CA) operator for signing, you should later receive a certificate(cer) file. You must give here SubjectAlternativeName extension argument second time.

Import Certificate file to a keystore

keytool -import -trustcacerts -keystore my.server.com.jks -storepass mypwd \
  -alias server -file my.server.com.cer

This command pairs your private key and a public certificate with a trusted valid CA authority. Browsers should not give a certificate warning anymore.

Import intermediate CA certs

keytool.exe -importcert -trustcacerts -file SomeCA.cer -alias someca -keystore my.server.com.jks -storepass mypwd
keytool.exe -importcert -trustcacerts -file SomeCAIssuing.cer -alias somecaissuing -keystore my.server.com.jks -storepass mypwd

This imports CA issuing certificates, you may need to do this before importing your certificate file(.cer).

Your hostname certificate may have an expiration date, so once about to expire soon create a new signing request(.csr) file from the keystore, send new csr file to CA authority, import new certificate(.cer) file.

You most likely are using jks keystore in Tomcat web server so here is tomcat/conf/server.xml https connector examples.

Tomcat 9+

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
connectionTimeout="20000" maxThreads="150" 
URIEncoding="UTF-8" useBodyEncodingForURI="true" maxHttpHeaderSize="65536"
compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" 
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="all">
  <Certificate certificateKeystoreFile="my.server.com.jks" certificateKeystoreType="JKS"
   certificateKeystorePassword="mypwd" certificateKeyAlias="server" />
</SSLHostConfig>
</Connector>

Tomcat8.5, if older than 8.0 you may need to drop ciphers arguments

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
            disableUploadTimeout="true" useBodyEncodingForURI="true"
            acceptCount="300" acceptorThreadCount="2" maxThreads="400"
            compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
            compression="off" compressionMinSize="2048"

            keystoreFile="my.server.com.jks" keystorePass="mypwd" keyAlias="server"
            SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
            sslEnabledProtocols="+TLSv1,+TLSv1.1,+TLSv1.2"
            ciphers="
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDH_RSA_WITH_RC4_128_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    SSL_RSA_WITH_RC4_128_MD5,
    SSL_RSA_WITH_RC4_128_SHA,
    TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
            "
        />
Whome
  • 10,181
  • 6
  • 53
  • 65