How to generate Java certificates (keystore and truststore) for two way SSL starting from X509 certificates

Question

I have generated with OpenSSL self signed certificates:

Root CA: cacert.crt (the root CA certificate), and root_key.pem (for root private key).

Client: client_cert.crt (the client certificate), and client_key.pem (for private key).

Server: server_cert.crt (the server certificate), and server_key.pem (for private key).

Both client and server certificates are signed with the root key.

As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.

My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys

This isn't programming or development, but for CA-issued certs each side's truststore should contain the root CA cert NOT the peer's cert; only for a self-signed cert need the peer cert be in the truststore. However each side's _keystore_ should contain its own _privatekey AND cert AND the CA cert(s) (aka chain)_. You can't do that with keytool, you must use OpenSSL or something like keystore-explorer; there are many answers about each -- although only some are updated to reflect an issue with new OpenSSL but older Java, see (my) https://stackoverflow.com/questions/72412346/ . — dave_thompson_085, Feb 08 '23 at 17:27
It is not programming question but it is directly linked to programming/tests if you write code that handles SSL you will need to test it. — Anas, Feb 09 '23 at 08:48

score 1 · Accepted Answer · answered Feb 10 '23 at 16:18

After some research, I found the following steps:

For client keystore:

openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt

For client truststore:

keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore

For server keystore:

openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% 
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%

For server truststore:

keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore

I tested it with a very simple SSL Client/Server by running the program:

java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar

It is working fine. Any suggestions of improvements are welcomed.

How to generate Java certificates (keystore and truststore) for two way SSL starting from X509 certificates

1 Answers1