How to add SSL certificates to cacerts and keystore?

Question

I created a CSR file using

openssl req -nodes -newkey rsa:2048 -keyout yourdomain.key -out yourdomain.csr –sha256

It created a CSR file and a key file. I submitted the CSR file to a CA. They responded with a single yourdomain.crt a single file.

I've tried to import the yourdomain.crt to my java's cacert by:

keytool -import -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file ~/Desktop/user/yourdomain.crt -alias yourdomain

And now I am confused on how to generate a Keystore (jks file). Do I use the same yourdomain.crt? And what is the command that I should use?

My spring boot program consists of

 File trustStoreFile = new File(CACERTS_PATH);
        File keyStoreFile = new File(JKS_PATH);
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(keyStoreFile), KEY_PASS.toCharArray());
        return SSLContextBuilder.create()
                .useProtocol("TLS")
                .loadKeyMaterial(ks, KEY_PASS.toCharArray())
                .loadTrustMaterial(trustStoreFile, TRUST_PASS.toCharArray())
                .build();

So I need a cacerts path which I believe is the cacerts from my jdk, and the password is the one which I typed when prompted for it.

Now how do I generate a Keystore file for it?

And do I need to add the server.ssl properties for Spring boot?

Possible duplicate https://stackoverflow.com/questions/38250271/creating-a-jks-from-a-crt-and-key-file-is-that-possible — Akash, May 29 '19 at 11:58
You don't actually need a JKS-format keystore for Java which has supported PKCS12 as a keystore format for well over 10 years -- and _recent_ versions (j9 up) encourage you to use PKCS12 _instead of_ JKS and JCEKS. — dave_thompson_085, May 30 '19 at 07:34
And many more dupes linked at https://stackoverflow.com/questions/37412374/java-sslhandshakeexception-no-cipher-suites-in-common and https://stackoverflow.com/questions/51032763/how-do-i-generate-x-509-certificate-from-key-generated-by-openssl — dave_thompson_085, May 31 '19 at 07:45

score 0 · Answer 1 · answered May 30 '19 at 04:31

First, You have to convert yourdomain.crt to .p12 Format, to do so, write following command on openssl terminal

pkcs12 -export -in yourdomain.crt -inkey yourdomain.key -chain -CAfile rootCA.pem -name “localhost” -out my.p12

where, rootCA.pem = you have to create it, for that write following command on openssl,

step 1 : genrsa -des3 -out rootCA.key 2048 and hit enter

 you will get rootCA.key file.

step 2 : req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

yourdomain.key = you have to create it by entering following command on openssl,

req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config
server.csr.cnf

where, server.csr.cnf file contain this and inside it you can write

authorityKeyIdentifier = keyid, issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]

DNS.1 = localhost
IP.1=127.0.0.1
IP.2 = 192.168.1.XX
IP.3 = 192.XXX.XX.XXX
IP.4 = 192.XX.XX.XX and soon

server.csr and server.key file is created.

After following all the steps , you will get .p12 format file , now you have to convert .p12 file format to keystore.jks file format, to do so write following command on cmd (open in administration mode)

Keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks 
-srckeystore my.p12 -srcstoretype PKCS12

For a cert obtained from a real CA, creating your own CA is unnecessary and useless. Use the chain and optionally root cert(s) _from the real CA_ instead. — dave_thompson_085, May 30 '19 at 07:29
@dave_thompson_085 I have a received a domain.crt from CA, please would you claridy with steps. — Mohendra Amatya, May 30 '19 at 07:49
@MohendraAmatya: as in the many dupes, and the first part of Pankaj's answer, use `openssl pkcs12 -export` with at least the CA-provided cert _and_ your privatekey file. For best results you should also provide the chain cert(s) supplied or specified by the CA, which vary depending on the type of cert you got and the CA you got it from; if p7b/p7c/pkcs7 format first 'unpack' with `openssl pkcs7 -print_certs`. — dave_thompson_085, May 31 '19 at 07:51

How to add SSL certificates to cacerts and keystore?

1 Answers1