java:keytool:list-certificates-from-jks
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
java:keytool:list-certificates-from-jks [2019/04/18 10:45] – created odefta | java:keytool:list-certificates-from-jks [2023/07/04 19:36] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Create keystore jks file ====== | ||
+ | |||
+ | In keystore we want to import: | ||
+ | * **the certificate chain** | ||
+ | * **the private key** | ||
+ | We can't do this directly in keytool. \\ | ||
+ | A PKCS12 file should be created which then will be imported in keystore. | ||
+ | |||
+ | ===== Create PKCS12 file ===== | ||
+ | |||
+ | Concatenate (manually) all intermediary CA certificates into a single file: all_cert.crt. | ||
+ | Then run the above command. The snt.key is the private key of the certificate (the last one in the chain). | ||
+ | Enter a password for the p12 file. | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -export -in snt_full.crt -inkey snt.key -name snt -out snt.p12 | ||
+ | </ | ||
+ | |||
+ | ===== Import the p12 file into a jks file ===== | ||
+ | |||
+ | Replace the password123 with the private key password supplied when it was created. | ||
+ | |||
+ | < | ||
+ | keytool -importkeystore -deststorepass password123 -destkeystore keystore_custom.jks -srckeystore snt.p12 -srcstoretype PKCS12 | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | < | ||
+ | Importing keystore snt.p12 to keystore_custom.jks... | ||
+ | Enter source keystore password: | ||
+ | Entry for alias sentinel successfully imported. | ||
+ | Import command completed: | ||
+ | |||
+ | Warning: | ||
+ | The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using " | ||
+ | </ | ||
+ | |||
+ | ====== Create truststore jks file ====== | ||
+ | |||
+ | In truststore file we need to import the CA certificates. | ||
+ | |||
+ | < | ||
+ | keytool -import -alias rootca -file ca.crt -storetype JKS -keystore truststore_custom.jks | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | < | ||
+ | Enter keystore password: | ||
+ | Re-enter new password: | ||
+ | Owner: OU=AX Software, O=AX, L=Bucharest, | ||
+ | Issuer: OU=AX Software, O=AX, L=Bucharest, | ||
+ | Serial number: 72b1b38c2fc0fc33ff298be6e6a704eb4ebd24c4 | ||
+ | Valid from: Sat Aug 08 15:56:46 EEST 2020 until: Tue Aug 06 15:56:46 EEST 2030 | ||
+ | Certificate fingerprints: | ||
+ | | ||
+ | SHA1: 59: | ||
+ | | ||
+ | Signature algorithm name: SHA256withRSA | ||
+ | Subject Public Key Algorithm: 2048-bit RSA key | ||
+ | Version: 3 | ||
+ | |||
+ | Extensions: | ||
+ | |||
+ | #1: ObjectId: 2.5.29.19 Criticality=true | ||
+ | BasicConstraints: | ||
+ | CA:true | ||
+ | PathLen: | ||
+ | ] | ||
+ | |||
+ | #2: ObjectId: 2.5.29.14 Criticality=false | ||
+ | SubjectKeyIdentifier [ | ||
+ | KeyIdentifier [ | ||
+ | 0000: 58 1E 75 F6 E9 9B 54 41 6D 0E EF 59 5C A6 60 88 X.u...TAm..Y\.`. | ||
+ | 0010: 82 74 C4 43 .t.C | ||
+ | ] | ||
+ | ] | ||
+ | |||
+ | Trust this certificate? | ||
+ | Certificate was added to keystore | ||
+ | </ | ||
+ | |||
+ | Repeat this for all CA certificates: | ||
+ | |||
+ | < | ||
+ | keytool -import -alias int1 -file int1.crt -storetype JKS -keystore truststore_custom.jks | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | keytool -import -alias int2 -file int2.crt -storetype JKS -keystore truststore_custom.jks | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | < | ||
+ | Enter keystore password: | ||
+ | Certificate was added to keystore | ||
+ | </ | ||
+ | |||
====== List JKS entries (certificates) ====== | ====== List JKS entries (certificates) ====== | ||
java/keytool/list-certificates-from-jks.1555573553.txt.gz · Last modified: 2023/07/04 19:36 (external edit)