Pivotal Knowledge Base

Follow

How to use a simple method to create a self-sign SSL Keystore and Truststore

Environment

Product Version
Pivotal GemFire 7.x and 8.x

Purpose

This document explains how to create a self-sign Keystore and Truststore using the Java keytool. This can be used for SSL communication in GemFire client/server and peer-to-peer configurations.

Procedure 

The process is as follows:

  1. Create the Keystore and generate a certificate, an example is shown below:

    keytool -genkey -alias client -keyalg RSA -keystore client.jks -keysize 2048
    shuvro-mac:test shuvrodas$keytool -genkey -alias client -keyalg RSA -keystore client.jks -keysize 2048
    Enter keystore password: 
    Re-enter new password:
    What is your first and last name?
    [Unknown]:Shuvro Das
    What is the name of your organizational unit?
    [Unknown]:GSS
    What is the name of your organization?
    [Unknown]:Pivotal
    What is the name of your City or Locality?
    [Unknown]:Pune
    What is the name of your State or Province?
    [Unknown]:Maharashtra
    What is the two-letter country code for this unit?
    [Unknown]:IN
    Is CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN correct?
    [no]:yes
     
    Enter key password for <client>
    (RETURN if same as keystore password): 
    Re-enter new password:
    shuvro-mac:test shuvrodas$
  2. Create a certificate signing request (CSR) for an existing Java KeyStore:

    keytool -export -alias client -file client.cer -keystore client.jks
    shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.cer -keystore client.jks
    Enter keystore password:
    Certificate stored in file <client.cer>
  3. Export a certificate from a Keystore:

    keytool -export -alias client -file client.crt -keystore client.jks
    shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.crt -keystore client.jks
    Enter keystore password: 
    Certificate stored in file <client.crt>
  4. Import the certificate to the Truststore:

    keytool -import -v -trustcacerts -alias client -file client.cer/client.crt -keystore clienttrust.jks
    shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.cer -keystore client.jks
    Enter keystore password:
    Certificate stored in file <client.cer>
    shuvro-mac:test shuvrodas$ keytool -import -v -trustcacerts -alias client -file client.cer -keystore clienttrust.jks
    Enter keystore password: 
    Re-enter new password:
    Owner: CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN
    Issuer: CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN
    Serial number: 10c6b2dc
    Valid from: Fri Jul 29 11:00:02 IST 2016 until: Thu Oct 27 11:00:02 IST 2016
    Certificate fingerprints:
    MD5:A0:4F:EE:40:CC:AF:86:71:D9:AE:35:B1:8D:BB:56:F8
    SHA1: 47:16:54:20:D5:5D:66:BD:69:C0:4A:1F:67:AD:BF:44:58:3C:41:53
    SHA256: 47:B6:57:8C:C0:41:84:5B:05:0D:C4:C9:97:45:68:99:53:2A:1B:7A:2E:BA:F8:F8:96:49:09:F1:BC:57:66:F3
    Signature algorithm name: SHA256withRSA
    Version: 3<
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 90 12 BB 49 90 FD 85 97 A2 CF 9A 24 32 5C 6A 33...I.......$2\j3<
    0010: D5 6A C3 54                                      .j.T
    ]
    ]
    
    Trust this certificate? [no]:yes
    Certificate was added to keystore
    [Storing clienttrust.jks]
    shuvro-mac:test shuvrodas$

Java Keytool Commands for Checking

If you need to check the information within a certificate or Java Keystore, use these commands.

  • Check a stand-alone certificate:
    keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java Keystore:
    keytool -list -v -keystore keystore.jks
  • Check a particular Keystore entry using an alias:
    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool Keystore:
    keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java Keystore password:
    keytool -storepasswd -new new_storepass -keystore keystore.jks
  • Export a certificate from a Keystore:
    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List trusted CA Certs:
    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import new CA into trusted Certs:
    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Additional Information

 

 

Comments

Powered by Zendesk