如何创建csr、key、crt并将crt、rootca、subca导入jks？

Question

To overcome the doubt of expertise I just explain the process, by which we are able to generate csr and key ?

# generate a new private key and certificate signing request
openssl req -out chorke.csr -new -newkey rsa:2048 -nodes \
-keyout chorke.key

Please confirm us who is responsible for create crt either client or server ? Here we are acting as client and if we have to create crt from csr & key then we are able to create chorke.crt as following:

# generate certificate using csr & key
openssl x509 -req -in chorke.csr -signkey chorke.key \
-out chorke.crt

If the sever authority responsible for create chorke.crt then guide us the procedure? Else we could send chorke.crt to sever authority to add it to their server. After that the sever authority send us their rootca , subca (intermediate ca) and chorke.crt . Then we have to import them to a fresh client.jks as following:

keytool -storepass storepasswd -importcert -keystore client.jks \
-trustcacerts -alias rootca -file rootca.cer

keytool -storepass storepasswd -importcert -keystore client.jks \
-trustcacerts -alias subca -file subca.cer

keytool -storepass storepasswd -importcert -keystore client.jks \
-alias chorke -file chorke.crt

After that we are ablie to run java program as following and causes bad certificate error

java \
-Djavax.net.ssl.trustStore=./client.jks \
-Djavax.net.ssl.trustStorePassword=storepasswd \
-Djavax.net.ssl.keyStore=./client.jks \
-Djavax.net.ssl.keyStorePassword=storepasswd \
-cp ./lib/*:./bin ChorkeServerTest

What's the wrong goes in this procedure as above? In this situation we expect suggestion from expertise, to point out the errata and guide us the step from generation of csr to import into jks and run java program successfully.

Answer 1

Please find in the below series of keytool and openssl commands used to create .jks file from .p12 certificate, extract/list the .jks key store configuration as part of .txt file, change the default alias to the expected alias, use openssl command to convert the .p12 certificate to .cer , configure/import the root-ca and intermediate-ca certificates as part of .jks key store file.

keytool command to create my_keystore.jks file with entry type as PrivateKeyEntry

keytool -importkeystore -srckeystore "D:\Certificates\DLOMTE.p12" -srcstoretype pkcs12 -destkeystore "my_keystore.jks" -deststoretype jks

keytool command to list/extract the my_keystore.jks configuration as my_keystore.txt file

keytool -list -v -keystore my_keystore.jks > my_keystore.txt

keytool command to change the default alias name in my_keystore.jks file

keytool -changealias -alias "<ALIAS NAME AS IN THE KEYSTORE>" -destalias "at oces - prod" -keystore my_keystore.jks

openssl command to convert .p12 certificate to .cer

openssl pkcs12 -in "D:\Certificates\DLOMTE.p12" -clcerts -nokeys -out "D:\Certificates\DLOMTE.cer"

keytool command to import the rootca certificate as part of my_keystore.jks file with required alias

keytool -import -trustcacerts -alias "at oces - prod - rootca" -file "D:\Certificates\OCESPrimaryCA-RootCA.cer" -keystore my_keystore.jks

keytool command to import the intermediateca certificate as part of my_keystore.jks file with required alias

keytool -import -trustcacerts -alias "at oces - prod - intermediateca" -file "D:\Certificates\OCESPrimaryCA-IntermediateCA.cer" -keystore my_keystore.jks