78

I used the following steps to create a new Java keystore with a pair of private/public key to be used by a Java (internal) server with TLS. Please notice that the certificate is selfsigned:

1) Generate key with AES256

openssl genrsa -aes256 -out server.key 1024

2) Generate cert request for CA

openssl req -x509 -sha256 -new -key server.key -out server.csr

3) Generate self signed expiry-time 10 years

openssl x509 -sha256 -days 3652 -in server.csr -signkey server.key -out selfsigned.crt

4) Use a program like KeyStoreExplorer to import the pair (private key and selfsigned certificate) in a new JKS

This works but I'd like to implement the last step without using a GUI.

I know how to import the self signed certificate only:

// create the keystore and import the public key. THIS WILL NOT IMPORT THE PRIVATE KEY SO THE KEYSTORE CAN'T BE USED ON THE SERVER TO MAKE THE TLS CONNECTION
/usr/java/jdk1.6.0_45/bin/keytool -import -alias myservercert -file server.crt -keystore mykeystore.jks

So the question is: how can I create a Java KeyStore and import both the certificate with the public key and the private key without using a GUI?

kingston
  • 11,053
  • 14
  • 62
  • 116
  • 1
    Maybe this "ImportKey" Java programm will do the job for you without a GUI: http://www.agentbob.info/agentbob/79-AB.html – sk2212 Jul 17 '13 at 09:14
  • If the target system is Java there is no need to use OpenSSL at all, just the keytool. See for example the JSSE Reference Guide, or the tool documentation for the keytool. – user207421 Jul 17 '13 at 10:06

2 Answers2

186

With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.

# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

To verify the contents of the JKS, you can use this command:

keytool -list -v -keystore mykeystore.jks

If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.

gtrig
  • 12,550
  • 5
  • 28
  • 36
  • 11
    http://stackoverflow.com/a/8224863/183622 shows a more thorough example including CA certificates and chain preservation if that's needed – Michael Renner May 07 '14 at 11:04
  • 1. openssl pkcs12 -inkey server_private.key -in my_server.crt -export -out intermediate_keys.pkcs12 and 2. keytool -importkeystore -srckeystore intermediate_keys.pkcs12 -srcstoretype pkcs12 -destkeystore my_keystore.jks These commands worked for me – Santhosh Nov 04 '20 at 10:49
0

A keystore needs a keystore file. The KeyStore class needs a FileInputStream. But if you supply null (instead of FileInputStream instance) an empty keystore will be loaded. Once you create a keystore, you can verify its integrity using keytool.

Following code creates an empty keystore with empty password

  KeyStore ks2 = KeyStore.getInstance("jks");
  ks2.load(null,"".toCharArray());
  FileOutputStream out = new FileOutputStream("C:\\mykeytore.keystore");
  ks2.store(out, "".toCharArray());

Once you have the keystore, importing certificate is very easy. Checkout this link for the sample code.

Santosh
  • 17,667
  • 4
  • 54
  • 79
  • It isn't necessary to write any code to accomplish this. The link you cited contains significant errors. – user207421 Mar 28 '16 at 21:50
  • @EJB, I saw your comment on the blog. I agree that it isn't necessary to write any code to accomplish this. But, in case it has to be accomplished programmatically? – Santosh Mar 29 '16 at 14:41
  • 1
    Also, Your observation about `InpputStream.available()`, is correct, but I see that the documentation of `FilterInputStream.available()` says _Returns an estimate of the number of bytes that can be read (or skipped over) from this input stream_ and there is no warning! In the example (in blog), `DataInputStream.available()` is used everywhere & `FilterInputStream` is extended by `DataInputStream`. Shouldn't it be safe to use `available()` in this particular case? – Santosh Mar 29 '16 at 14:44
  • 1
    Requesting to back the downvote by appropriate comment. Anonymous downvoting does not help anybody. – Santosh Mar 30 '16 at 10:38
  • 1. Programmatic creation is one of THE option for 'without GUI ' nonetheless. 2. Partial quotation was for this 'Particular Case' I was talking about and I clearly mentioned that. – Santosh Jul 15 '17 at 12:27
  • 1. 'Without a GUI' does not *imply* 'programmatic creation'. 2. Unless you can and do produce evidence that the part you left out of your partial quotation doesn't apply to this 'particular case' your error remains. 3. The code you posted merely creates an empty keystore. It is not in any way an answer to the question. – user207421 Aug 24 '17 at 10:13