Friday, May 21, 2010

Java Keytool - Self-Signed SSL Certificate

Keytool is a key and certificate management utility.
In this post, I list down a few useful commands that will help you generate self-signed certificates for development purposes. For production systems, do not use keytool to generate certificates. Use those provided by CAs like VeriSign or thawte. Self-signed certificates are challenged by browsers and that creates a poor user interaction every time they go to your site.

Definitions:
Keystore - A keystore is a database (usually a file) that can contain trusted certificates and combinations of private keys with their corresponding certficiates.
Alias - All keystore entries (key and trusted certificate entries) are accessed via unique aliases
cacerts - The "cacerts" file represents a system-wide keystore with CA certificates. It resides in the security properties directory, $JAVA_HOME/jre/lib/security
Certificate - A certificate (also known as a public-key certificate) is a digitally signed statement from one entity (the issuer), saying that the public key (and some other information) of another entity (the subject) has some specific value.

Prerequisites:
-> JDK 1.3+ installed and JAVA_HOME set to the directory where you have installed JDK

Notes:
-> For this example, lets call our alias "my_alias"
-> For this example, lets call our certificate "my_cert.crt"

Go to $JAVA_HOME/bin directory

# Generate the keystore file (the following command will ask few questions, at the end it will generate a .keystore file - changeit is the password, you can put whatever you want to, just dont forget it :))
> keytool -genkey -alias my_alias -keypass changeit -keyalg RSA

# Export the .keystore file to generate the certificate (the following command will ask for the password and then generate a my_cert.crt file)
> keytool -export -alias my_alias -keypass changeit -file my_cert.crt

At this stage we have the certificate file ready, we can use this certificate file and point our server's trustedFile source to it. However for certain services like CAS, the certificate needs to be imported in JDK trusted certificate file - cacerts.

# Import the certificate file to the cacerts file (the following command will ask for the password and confirm the certificate you are trying to import)
> keytool -import -file my_cert.crt -keypass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts

Other useful keytool commands

# List all .keystore certificates
> keytool -list -v

# List one .keystore certificate
> keytool -list -v -alias my_alias

# List all .keystore certificates in a specific keystore
> keytool -list -keystore

# Remove certificate from cacerts file
> keytool -delete -alias my_alias -keystore $JAVA_HOME/jre/lib/security/cacerts

#Remove a certificate from the default .keystore
> keytool -delete -alias my_alias

As always there is "man" help available!

Hope this helps!

3 comments:

vijay said...

It's nice information...I got the SSL certificate here http://www.xnynz.com/ It provides hosting,domain name register, domain appraisal, online file folder, ssl certificate etc...

Abhi said...

Good to know that you find the article useful.

Register domain India said...

I have enjoyed a lot by reading your blog. Really good to read. Thanks for sharing.