How to create Java Keystore with existing SSL certificate
Secure Sockets Layer (SSL), more commonly called TLS is a protocol that is used to secure communication between systems. This protocol uses a public key, a private key and a random symmetric key to encrypt data.
An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection. Organizations need to get CA-signed SSL certificates to serve their web applicaitons over the HTTPS.
In Java based application servers, KeyStore store the SSL key details. Keystore comes with a private/public key pair that is used for all purposes, such as encrypting sensitive information, communicating over SSL.
Keystore can be generated from existing CA signed SSL certificate or can generate Keysore and later get it signed via a certificate signing request (CSR).
Since SSL is widely used in many systems, certificates may already exist that can be reused. In such situations, you can use an already existing CA-signed certificate to generate your keystore for SSL by using OpenSSL and Java keytool.
Note: CA signed SSL certificate now can be easlily created using https://certbot.eff.org/
Steps to Generate KeyStore:
First, you must export certificates to the PKCS12/PFX format. Give strong passwords whenever required.
openssl pkcs12 -export -in <certificate file>.crt -inkey <private>.key -name "<alias>" -certfile <additional certificate file> -out <pfx keystore name>.pfx
Ex.
sudo openssl pkcs12 -export -in cert4.pem -inkey privkey4.pem -name medikacertsec -certfile fullchain4.pem -out medikasec.pfx
Convert the PKCS12/PFX formatted keystore to a Java keystore with below command
keytool -importkeystore -srckeystore <pkcs12 file name>.pfx -srcstoretype pkcs12 -destkeystore <JKS name>.jks -deststoretype JKS
Ex.
sudo keytool -importkeystore -srckeystore medikasec.pfx -srcstoretype pkcs12 -destkeystore medikasec.jks -deststoretype JKS
Import generated KeyStore public key using following command
keytool -export -alias certalias -keystore newkeystore.jks -file <public key name>.pem
Ex.
sudo keytool -export -alias medikacertsec -keystore medikasec.jks -file medikacertseckey.pem
Finally, Import the public key you extracted in the previous step to the client-truststore.jks
keytool -import -alias certalias -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon
Ex.
sudo keytool -import -alias medikacertsec -file medikacertseckey.pem -keystore client-truststore.jks -storepass carbon123