User Tools

Site Tools


java:keytool:list-certificates-from-jks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
java:keytool:list-certificates-from-jks [2019/04/18 10:45] – created odeftajava:keytool:list-certificates-from-jks [2023/07/04 19:36] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== Create keystore jks file ======
 +
 +In keystore we want to import:
 +  * **the certificate chain**
 +  * **the private key**
 +We can't do this directly in keytool. \\  
 +A PKCS12 file should be created which then will be imported in keystore.
 +
 +===== Create PKCS12 file =====
 +
 +Concatenate (manually) all intermediary CA certificates into a single file: all_cert.crt.
 +Then run the above command. The snt.key is the private key of the certificate (the last one in the chain).
 +Enter a password for the p12 file.
 +
 +<code>
 +openssl pkcs12 -export -in snt_full.crt -inkey snt.key -name snt -out snt.p12
 +</code>
 +
 +===== Import the p12 file into a jks file ===== 
 +
 +Replace the password123 with the private key password supplied when it was created.
 +
 +<code>
 +keytool -importkeystore -deststorepass password123 -destkeystore keystore_custom.jks -srckeystore snt.p12 -srcstoretype PKCS12
 +</code>
 +
 +Output:
 +<code>
 +Importing keystore snt.p12 to keystore_custom.jks...
 +Enter source keystore password:
 +Entry for alias sentinel successfully imported.
 +Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
 +
 +Warning:
 +The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore_custom.jks -destkeystore keystore_custom.jks -deststoretype pkcs12".
 +</code>
 +
 +====== Create truststore jks file ======
 +
 +In truststore file we need to import the CA certificates.
 +
 +<code>
 +keytool -import -alias rootca -file ca.crt -storetype JKS -keystore truststore_custom.jks
 +</code>
 +
 +Output:
 +<code>
 +Enter keystore password:
 +Re-enter new password:
 +Owner: OU=AX Software, O=AX, L=Bucharest, ST=Romania, C=RO
 +Issuer: OU=AX Software, O=AX, L=Bucharest, ST=Romania, C=RO
 +Serial number: 72b1b38c2fc0fc33ff298be6e6a704eb4ebd24c4
 +Valid from: Sat Aug 08 15:56:46 EEST 2020 until: Tue Aug 06 15:56:46 EEST 2030
 +Certificate fingerprints:
 +         MD5:  16:2B:B3:B0:9C:0E:12:37:D8:CA:7E:05:9C:23:76:F0
 +         SHA1: 59:B4:0C:EA:AB:8A:48:7D:14:65:6D:6C:D4:07:A9:81:CB:A6:D2:27
 +         SHA256: 07:50:F3:D5:F2:62:6A:9F:27:3C:56:27:4A:CD:D0:E6:34:98:26:F1:20:04:0C:02:9F:22:B0:35:E1:30:DD:50
 +Signature algorithm name: SHA256withRSA
 +Subject Public Key Algorithm: 2048-bit RSA key
 +Version: 3
 +
 +Extensions:
 +
 +#1: ObjectId: 2.5.29.19 Criticality=true
 +BasicConstraints:[
 +  CA:true
 +  PathLen:2147483647
 +]
 +
 +#2: ObjectId: 2.5.29.14 Criticality=false
 +SubjectKeyIdentifier [
 +KeyIdentifier [
 +0000: 58 1E 75 F6 E9 9B 54 41   6D 0E EF 59 5C A6 60 88  X.u...TAm..Y\.`.
 +0010: 82 74 C4 43                                        .t.C
 +]
 +]
 +
 +Trust this certificate? [no]:  yes
 +Certificate was added to keystore
 +</code>
 +
 +Repeat this for all CA certificates:
 +
 +<code>
 +keytool -import -alias int1 -file int1.crt -storetype JKS -keystore truststore_custom.jks
 +</code>
 +
 +<code>
 +keytool -import -alias int2 -file int2.crt -storetype JKS -keystore truststore_custom.jks
 +</code>
 +
 +Output:
 +<code>
 +Enter keystore password:
 +Certificate was added to keystore
 +</code>
 +
 ====== List JKS entries (certificates) ====== ====== List JKS entries (certificates) ======
  
java/keytool/list-certificates-from-jks.1555573553.txt.gz · Last modified: 2023/07/04 19:36 (external edit)