====== Create keystore jks file ======
In keystore we want to import:
* **the certificate chain**
* **the private key**
We can't do this directly in keytool. \\
A PKCS12 file should be created which then will be imported in keystore.
===== Create PKCS12 file =====
Concatenate (manually) all intermediary CA certificates into a single file: all_cert.crt.
Then run the above command. The snt.key is the private key of the certificate (the last one in the chain).
Enter a password for the p12 file.
openssl pkcs12 -export -in snt_full.crt -inkey snt.key -name snt -out snt.p12
===== Import the p12 file into a jks file =====
Replace the password123 with the private key password supplied when it was created.
keytool -importkeystore -deststorepass password123 -destkeystore keystore_custom.jks -srckeystore snt.p12 -srcstoretype PKCS12
Output:
Importing keystore snt.p12 to keystore_custom.jks...
Enter source keystore password:
Entry for alias sentinel successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore_custom.jks -destkeystore keystore_custom.jks -deststoretype pkcs12".
====== Create truststore jks file ======
In truststore file we need to import the CA certificates.
keytool -import -alias rootca -file ca.crt -storetype JKS -keystore truststore_custom.jks
Output:
Enter keystore password:
Re-enter new password:
Owner: OU=AX Software, O=AX, L=Bucharest, ST=Romania, C=RO
Issuer: OU=AX Software, O=AX, L=Bucharest, ST=Romania, C=RO
Serial number: 72b1b38c2fc0fc33ff298be6e6a704eb4ebd24c4
Valid from: Sat Aug 08 15:56:46 EEST 2020 until: Tue Aug 06 15:56:46 EEST 2030
Certificate fingerprints:
MD5: 16:2B:B3:B0:9C:0E:12:37:D8:CA:7E:05:9C:23:76:F0
SHA1: 59:B4:0C:EA:AB:8A:48:7D:14:65:6D:6C:D4:07:A9:81:CB:A6:D2:27
SHA256: 07:50:F3:D5:F2:62:6A:9F:27:3C:56:27:4A:CD:D0:E6:34:98:26:F1:20:04:0C:02:9F:22:B0:35:E1:30:DD:50
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 58 1E 75 F6 E9 9B 54 41 6D 0E EF 59 5C A6 60 88 X.u...TAm..Y\.`.
0010: 82 74 C4 43 .t.C
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Repeat this for all CA certificates:
keytool -import -alias int1 -file int1.crt -storetype JKS -keystore truststore_custom.jks
keytool -import -alias int2 -file int2.crt -storetype JKS -keystore truststore_custom.jks
Output:
Enter keystore password:
Certificate was added to keystore
====== List JKS entries (certificates) ======
keytool.exe -list -rfc -keystore keystore.jks | openssl x509 -text
Output:
Enter keystore password: test*
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 20 (0x14)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, O = Test, CN = Test CA
Validity
Not Before: Oct 22 14:36:00 2017 GMT
Not After : Aug 9 13:17:00 2019 GMT
Subject: C = FR, O = Test, CN = Test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b6:18:c9:2a:f8:01:a3:86:e6:32:63
...............