I was working on a project last month where I had to call a third-party web service. The third-party web service wanted me to add a SSL keystore and I struggled. I could have gone to my UNIX Admin and asked him to do this job but decided to learn about all about keystores. I went through couple of forums and SO and ended my spending 2 – 3 hours reading about keystores and commonly used commands.
To give you a quick run here what I was doing. I had to use a third party wsdl to create a client. I tried to use Maven jaxws plugin to generate the client. I downloaded the wsdl to my local machine and was able to successfully create a client. For production I wanted to generate the client using the current wsdl so decided to generate the client using the wsdl url of the third-party website but ran into keystore issue. I had to download their certificate and add it to my CACERT.
The whole charade led me to compile this post. Before I begin here is a quick run through Keystore
Why Do I need a keystore?
By using a public/private key mechanism. This provides a layer of security that prevents, among other things, remote attackers from pushing malicious updates to your application (all updates must be signed with the same key)
What is a Java Keytool?
It is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in keystore. It protects private keys with a password. A Keytool keystore has the private key and any certificates necessary to complete a chain of trust and set up the trustworthiness of the primary certificate.
_Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. _
Here is a list of 13 most common commands
CREATING AND IMPORTING COMMANDS
1. Create a Java Keystore and value pair
keytool -genkey -alias yourDomainName -keyalg RSA -keystore YourkeystoreName.jks
2. Creating a signing request (CSR) for an existing keystore
keytool -certreq -alias yourDomainName -keystore keystore.jks -file yourDomainName.csr
3. Importing a signed primary certificate to an existing keystore**
**
keytool -import -trustcacerts -alias yourDomainName -file yourDomainName.crt -keystore YourkeystoreName.jks
4. Importing a root or intermediate CA certificate to an existing keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore YourkeystoreName.jks
5. Creating a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore Yourkeystore.jks -storepass password -validity 360
CHECKING COMMANDS
When you need to check the information about a certificate or keystore then you use these commands.
6. Checking a particular certificate
keytool -printcert -v -file Yourdomain.crt
7. Checking all certificates in a keystore
keytool -list -v -keystore Yourkeystore.jks
9. Checking a particular keystore entry using an alias
keytool -list -v -keystore Yourkeystore.jks -alias Yourdomain
EDIT/IMPORT COMMANDS
10. Deleting a certificate from a keystore
keytool -delete -alias Yourdomain -keystore Yourkeystore.jks
11. Changing a keystore password
keytool -storepasswd -new new_password -keystore keystore.jks
12. Exporting a certificate from a keystore
keytool -export -alias Yourdomain -file Yourdomain.crt -keystore Yourkeystore.jks
13. Listing Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
P.S. – If you liked the post please click on one of the ads in the right hand column to help me keep up this site and do drop a me a line to suggest some topics that would like to see on this site.
So Long ……