Configuring a Java Keystore for Secure Communications

Owned by Shaun Morris
Last updated: May 24, 2013Version comment
2 min read

The following information was sourced from https://www.racf.bnl.gov/terapaths/software/the-terapaths-api/example-java-client/java-client/setting-up-keystores-with-jetty-and-keytool.

Creating a Client Keystore

This walk-through details how to use a PKCS12 certificate. This is the most popular format used when exporting from a web browser.

  1. Obtain a personal ECA cert (client certificate)
    1. To do this, open Internet Explorer > Tools > Options.
    2. Select the Content tab.
    3. Click Certificates
    4. Select the Personal tab.
    5. Select the certificate needed to export. Tthere should be the one without a "Friendly Name" and it is not the "Encryption Cert").
    6. Click Export.
    7. Follow Certificate Export Wizard.
    8. When a prompt requests to export the private key, select Yes.
  2. Download a jetty 6.1.5 distribution from http://dist.codehaus.org/jetty/jetty-6.1.5/jetty-6.1.5.zip
  3. Unpack the jetty distribution and place the client certificate (the one just exported) in the lib directory.
  4. Navigate to the lib directory of the jetty distribution in a command console.

  5. Add a cert to a new java keystore, replacing cert with the name of the PKCS12 Keystore needed to convert, and replace clientKeystorewith the desired name of the Java Keystore:

    java -cp jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import cert.p12 clientKeystore.jks
  6. The command prompts for two passwords:
    1. Input keystore passphrase is the passphrase that is used to protect cert.p12
    2. Output keystore passphrase is the passphrase that is set for the new java keystore clientKeystore.jks
  7. It is recommended that the private key password be the same as the keystore password due to limitations in java.

    1. Run the following command to determine the alias name of the added current entry. It is listed after "Alias Name:"

      keytool -list -v -keystore clientKeystore.jks

    2. Clone the existing key using the java keytool executable, filling in <CurrentAlias>, <NewAlias>, clientKeystore.jks, and passwordwith the correct names.

      keytool -keyclone -alias "<CurrentAlias>" -dest "<NewAlias>" -keystore clientKeystore.jks -storepass password
    3. When prompted for a password, use the same password used when the keystore was created.

    4. Delete the original alias

      keytool -delete -alias "<CurrentAlias>" -keystore clientKeystore.jks -storepass password

After the keystore is successfully created, delete the jetty files used to perform the import.

Creating a Truststore

This walk-through details how to import a .cer certificate

  1. Import the certificate into a java keystore as a trusted ca certificate

    keytool -import -trustcacerts -alias "Trusted Cert" -file trustcert.cer -keystore truststore.jks
  2. Enter in a keystore password when prompted.

Adding a certificate to an existing Keystore

 

  1. Import the certificate into a java keystore as a certificate.

    keytool -importcert -file newcert.cer -keystore clientKeystore.jks -alias "New Alias"
  2. Enter in the keystore password if prompted.