Thursday, February 3, 2022

Keytool commands

 Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair
    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks  -keysize 2048
  • Generate a certificate signing request (CSR) for an existing Java keystore
    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Import a root or intermediate CA certificate to an existing Java keystore
    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
  • Import a signed primary certificate to an existing Java keystore
    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
  • Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate
    keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore
    keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias
    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore
    keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password
    keytool -storepasswd -new new_storepass -keystore keystore.jks
  • Export a certificate from a keystore
    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs
    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs
    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Posted by at No comments:

making connection Secure in Tomcat with SAN

 How to resolve the "Not secure" warning on the browser to make your application secure.

You need to configure the SSL in your application to  avoid the - connection not secure - warning. Based on your application deployed in Weblogic or Tomcat, below are high level steps to configure that:

  1. Create a Java Keystore in the application installed server
  2. Generate CSR
  3. Send the CSR to your CA (IT Team)
  4. Get the signed intermediate and root certs from CA
  5. Import these certs to keystore with same alias
  6. Adjust Tomcat / WebLogic settings

 

Steps for  making the connection secure in Tomcat.

 Below two commands generate the Keystore and CSR with Subject Alternative Names.

 keytool -alias server -keystore "D:\server.keystore"  -storepass changeit -deststoretype pkcs12   -genkeypair -keyalg RSA -validity 1000 -keysize 2048  -sigalg SHA256withRSA   -dname "CN=ddd.ddd.dd,O=DN,OU=DN=Ddd,ST=Ddd,C=DN"   -ext  "SAN=IP:ip,DNS:host,EMAIL:mailid"

 

  1. keytool -keystore "D:\server.keystore" -certreq -alias server -keyalg RSA -file "D:\server.csr" -ext "SAN=IP:ip,DNS:host,mailid"

 

       Once we receive the CA signed Root certificate, Intermediate certificate and  server certificateà need to import the certificates in the keystore already created with same alias  server for server certificate.

 

  1. keytool -import  -alias root -keystore "D:\server.keystore"   -file "D:\rootca.cer"

 

  1. keytool -import  -alias intermediate -keystore "D:\server.keystore"   -file  "D:\intermediateca.cer"

 

  1. keytool -import  -alias server -keystore "D:\server.keystore"   -file "D:\serverprd.cer"

 

  1. change the server.xml with this keystore and restart the Tomcat.

 

Tomcat example

Posted by at No comments:
Subscribe to: Posts (Atom)