/
Cert File Management

Cert File Management

Owned by Matthew Ramey
Last updated: Jul 23, 2013Version comment

Tools Used

  • openssl
  • The standard java keytool certificate management utility.
  • Portecle can be used for keytool operations if a GUI if preferred over a command line interface.

General Certificates

Creating a CA Key and Certificate

The following shows how to create a root CA to sign certificates.

Create a key pair

$> openssl genrsa -aes128 -out root-ca.key 1024

Use the key to sign the CA certificate

$> openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt

Using the CA to Sign Certificates

The following shows how to sign a certificate for the tokenissuer user by a CA.

Generate a private key and a Certificate Signing Request (CSR)

$> openssl req -newkey rsa:1024 -keyout tokenissuer.key -out tokenissuer.req

Sign the certificate by the CA

$> openssl ca -out tokenissuer.crt -infiles tokenissuer.req

Java Keystore (JKS)

Creating a new Keystore/Truststore with an existing Certificate and Private Key

Using the private key, certificate, and CA certificate one can create a new keystore containing the data from the new files.

cat client.crt >> client.key
openssl pkcs12 -export -in client.key -out client.p12
keytool -importkeystore -srckeystore client.p12 -destkeystore clientKeystore.jks -srcstoretype pkcs12 -alias 1
keytool -changealias -alias 1 -destalias client -keystore clientKeystore.jks
keytool -importcert -file ca.crt -keystore clientKeystore.jks -alias "ca"
keytool -importcert -file ca-root.crt -keystore clientKeystore.jks -alias "ca-root"

The truststore can be created with only the use of the CA certificate.  Based on the concept of CA signing, the CA should be the only entry needed in the truststore.

keytool -import -trustcacerts -alias "ca" -file ca.crt -keystore truststore.jks
keytool -import -trustcacerts -alias "ca-root" -file ca-root.crt -keystore truststore.jks

Using the certificate one can create a PEM file from it as it is the format that some applications use.

openssl x509 -in client.crt -out client.der -outform DER
openssl x509 -in client.der -inform DER -out client.pem -outform PEM

Import into a Java Keystore (JKS)

The following shows how to import a PKCS12 keystore generated by openssl into a Java keystore (JKS).

Put the private key and the certificate into one file

$> cat tokenissuer.crt >> tokenissuer.key

Put the private key and the certificate in a PKCS12 keystore

$> openssl pkcs12 -export -in tokenissuer.key -out tokenissuer.p12

Import the PKCS12 keystore into a Java keystore (JKS)

$> keytool -importkeystore -srckeystore tokenissuer.p12 -destkeystore stsKeystore.jks -srcstoretype pkcs12 -alias 1

Change the alias

$> keytool -changealias -alias 1 -destalias tokenissuer

Certificate Revocation List (CRL)

Creating a Certificate Revocation List (CRL)

Using the CA create in the above steps, one can create a CRL in which the tokenissuer's certificate is valid.

$> openssl ca -gencrl -out crl-tokenissuer-valid.pem

Revoking a Certificate and Creating a New CRL that Contains the Revoked Certificate

$> openssl ca -revoke tokenissuer.crt

$> openssl ca -gencrl -out crl-tokenissuer-revoked.pem

Viewing a CRL

The following command will list the serial numbers of the revoked certificates.

$> openssl crl -inform PEM -text -noout -in crl-tokenissuer-revoked.pem