Follow below steps to get SSL certificate for an JAVA based Application server .In the below steps we will use keytool which is availale in JAVA_HOME/bin/
Create a new keystore keystore.jks for managing your public/private key pairs and certificates.
Note : -v option is for detailed output
Keytool help for the commands [wlsuser@localhost tmp]$ keytool Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name [wlsuser@localhost tmp]$
Generate key
-genkey
keytool -genkey -v -alias mycert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \
-dname "CN=www.abc.com, OU=abc, O=ABC Corp, C=IN, ST=Banglore, L=India" \
--keypass pkpassword -storepass storepassword -validity 365 -keystore keystore.jks
Generate a CSR in the file carequest.csr for submission to a CA. The CA signs and returns a certificate or a certificate chain that authenticates your public key.
CSR
keytool -certreq -v -alias mycert -file carequest.csr -keystore keystore.jks -storepass storepassword
Send or upload the csr file to the thirdpary site like and get it signed . Then download root ,intermediate certificates and carequest.cer file .
Print the contents of a certificate file in a human-readable form.
keytool -printcert -v -file carequest.cer
Import Root
keytool -importcert -alias root -file root.cer -keystore keystore.jks -storepass storepassword
Import Intermediate
keytool -importcert -alias inter -file intermediate.cer -keystore keystore.jks -storepass storepassword
Import sever Certificate
keytool -importcert -alias mycert -file carequest.cer -keystore keystore.jks -storepass storepassword
verify keystore
keytool -list -v -alias mycert -keystore keystore.jks -storepass storepassword
change keystore password
keytool -storepasswd -keystore keystore.jks
Change key password
keytool -keypasswd -alias mycert -keystore keystore.jks
Delete the certificate with the alias aliasname from the keystore keystore.jks.
keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword
print the certificate
keytool -printcert -f mycert.cer
Now the keystore is ready. we can use this keystore to configure in Application server’s like Jboss,Weblogic,Websphere,tomcat ..etc
In a certificate if both Owner and Issuer are same then it is Self signed certificate . We can use self signed cert for the server but it is not secured and not recommended.
Every root certificate of the Third party provider are self signed it self and used to sign other certificates .
One thought on “SSL Certificate provision using keytool commands”