How to create a certificate with keytool?
Question
I've looked in 4 (yes, four) tutorials already and still don't get how to get this working.
After setting a second HTTP listener configured for HTTPS in my Glassfish 4.1.1 server, I'm trying to create a certificate, so I don't get security errors in my browser. The problem is, that I just don't get keytool working proper; it just messes up and throws strange errors whatever I do. Per example, it doesn't find some of the commands that many guides recommend.
I can guess that the tool changed in Java 8 or something else, I don't really know.
Thing is: I want to create a certificate, export it to my Glassfish server, and have HTTPS correctly implemented and working for testing purposes. What should I do for this?
EDIT: Seriously, I'm in a trouble because of this. I just can't do anything: cacerts password isn't the typical "changeit", I can't get my keys outside the keystore, and therefore I can't do anything with certificates.
2 answers
solution1
2 ACCPTED 2017-10-26 18:02:53
If all you need to do is create a pair of self-signed certificates... I may be able to help.
On a Microsoft Windows Machine:
- Create an empty directory and save the below script there (GenTestCerts.ps1).
- Edit the script and change the Alias values (and other variables) to whatever you need.
- Execute the script.
Copy the server (tomcat.server.net.p12) cert to wherever your server expects it to be.
Copy the Trust Store (truststore.p12) to wherever your server expects it to be.
Install the admin (tomcat-admin.p12) cert in your Windows Key Store accepting the Root into your Trusted Root Certification Authorities section.
<#
This sample Windows PowerShell script will:
1.) Create a Certificate Authority
2.) Create a Server Certificate signed by the Certificate Authority
3.) Create a Client Certificate signed by the Certificate Authority
4.) Create a TrustStore containing the public Certificate Authority key
The first section defines variables
The second section does the work
All Key Stores are PKCS12
The Server Certificate includes a Subject Alternative Name
The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need
You just have Java 7 (or higher) installed and keytool in your path
#>
<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"
<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"
<# Subject Alternative Name #>
$serverDNS="$serverAlias"
<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"
<# Trust Store #>
$trustCertName="truststore"
<# Key size and effective period #>
$keySize="4096"
$validity="365"
<# Key and Store Password #>
$certPassword="changeit"
<# ------------------------------------------------------------------------------------------ #>
<# ------------------ Use caution if you change anything below this line ------------------ #>
<# ------------------------------------------------------------------------------------------ #>
$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"
echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
-validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
-storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
-keystore "$authorityAlias.p12" -storepass "$certPassword"
echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
-ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
-deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
-keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"
echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
-keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
-storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"
echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
-storepass "$certPassword" -noprompt
echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"
Hope this helps.
Best, Ace
solution2
0 2016-03-11 19:03:39
I did that on a tomcat many years ago, I remember not to get it right at first try.
Unless you want to spend Money (guess there are no free certificate signing for websites out there), I recommend a Self-Signed Certificate.
Have you tried this one? http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.