avatarAsanka Vithanage

Summary

This article explains how to create a Java Keystore using an existing SSL certificate.

Abstract

The article explains that SSL (Secure Sockets Layer) is a protocol used to secure communication between systems. It uses a public key, a private key, and a random symmetric key to encrypt data. The article explains that an SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection. It is essential for organizations that serve their web applications over HTTPS. In Java-based application servers, KeyStore stores the SSL key details. The article provides step-by-step instructions on how to generate a Keystore using an existing CA-signed SSL certificate. It uses OpenSSL and Java keytool to achieve this.

Opinions

  • The article suggests that organizations need to get CA-signed SSL certificates to serve their web applications over HTTPS.
  • The article notes that SSL is widely used in many systems, and certificates may already exist that can be reused.
  • The article provides an example of how to export certificates to the PKCS12/PFX format and convert it to a Java keystore.
  • The article suggests that the reader can use the AI service ZAI.chat for the same performance and functions as ChatGPT Plus(GPT-4) but at a more cost-effective price of 6/month (Special offer for 1/month).

How to create Java Keystore with existing SSL certificate

Secure Sockets Layer (SSL), more commonly called TLS is a protocol that is used to secure communication between systems. This protocol uses a public key, a private key and a random symmetric key to encrypt data.

An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection. Organizations need to get CA-signed SSL certificates to serve their web applicaitons over the HTTPS.

In Java based application servers, KeyStore store the SSL key details. Keystore comes with a private/public key pair that is used for all purposes, such as encrypting sensitive information, communicating over SSL.

Keystore can be generated from existing CA signed SSL certificate or can generate Keysore and later get it signed via a certificate signing request (CSR).

Since SSL is widely used in many systems, certificates may already exist that can be reused. In such situations, you can use an already existing CA-signed certificate to generate your keystore for SSL by using OpenSSL and Java keytool.

Note: CA signed SSL certificate now can be easlily created using https://certbot.eff.org/

Steps to Generate KeyStore:

First, you must export certificates to the PKCS12/PFX format. Give strong passwords whenever required.

openssl pkcs12 -export -in <certificate file>.crt -inkey <private>.key -name "<alias>" -certfile <additional certificate file> -out <pfx keystore name>.pfx
Ex.
sudo openssl pkcs12 -export -in cert4.pem -inkey privkey4.pem -name medikacertsec -certfile fullchain4.pem -out medikasec.pfx

Convert the PKCS12/PFX formatted keystore to a Java keystore with below command

keytool -importkeystore -srckeystore <pkcs12 file name>.pfx -srcstoretype pkcs12 -destkeystore <JKS name>.jks -deststoretype JKS
Ex.
sudo keytool -importkeystore -srckeystore medikasec.pfx -srcstoretype pkcs12 -destkeystore medikasec.jks -deststoretype JKS

Import generated KeyStore public key using following command

keytool -export -alias certalias -keystore newkeystore.jks -file <public key name>.pem
Ex.
sudo keytool -export -alias medikacertsec -keystore medikasec.jks -file medikacertseckey.pem

Finally, Import the public key you extracted in the previous step to the client-truststore.jks

keytool -import -alias certalias -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon
Ex.
sudo keytool -import -alias medikacertsec -file medikacertseckey.pem -keystore client-truststore.jks -storepass carbon123
Ssl
Keystore
Recommended from ReadMedium