How do I create truststore and keystore from the signed certificate?

Question

I have a Java service and need to enable TLS on it. I've generated a csr request and now have it signed with the company's CA. So, I have server.csr and service.crt files now. How do I create truststore and keystore out of these? Thanks.

Answer 1

A Java TLS (JSSE) server needs a privatekey-and-certificate, or if you prefer certificate-and-privatekey, to identify itself, provided by a KeyManager object. It only needs certificate(s) in a TrustManager to validate clients if it uses options to request or require client authentication, also called client certificate or two-way or mutual authentication, which is rare; it never needs its own cert in the TrustManager . However depending on the cert used the client(s) (which or may not be in Java) may need the CA cert for the server cert, or in rare cases the server cert itself, added to their truststore(s). Although other options/methods exist, the KeyManager object, and TrustManager object if used, are usually created by reading in keystore and (possibly) truststore files .

There are two main methods to creating such a keystore file for a server, with variations depending partly on whether you use a CA and if so which and how. Both work fundamentally by generating a keypair (private and public) and then obtaining a certificate for the public part; this can be either a dummy/self-signed cert or from a CA, and in the latter case it is almost always done, as you describe, by creating a CSR (Certificate Signing Request), submitting this CSR to the CA, and getting back at least the requested end-entity or 'leaf' certificate. In nearly all cases nowadays, CA-issued certs to validate correctly need at least one (and sometimes more) 'intermediate' or 'chain' certificate(s), which also need(s) to be configured in the server keystore; there are several formats and methods the CA can use to provide this(these) chain cert(s) and there is no single standard.

Method A is use Java keytool -genkeypair to create the keypair already in a keystore, and then keytool -certreq to create a CSR for it, and when the cert with chain (if applicable) is obtained import this 'reply' into the same keystore, combining it with the privatekey already there. Depending on the format(s) used for the leaf and chain cert(s) there are variations; basically you either import the certs separately, from the top down, ending with the leaf, or you import the whole chain at once. If this is how you created the CSR you used, you should look at your "crt" file to see what format it is and what data is in it -- if it is in PEM format (which jhas blocks of printable characters mostly letters and digits with header and trailer lines in the form -----BEGIN/END {something}----- ) look at whether there is one or more block(s) and what the {something}(s) is(are), and whether there is any relevant 'comment' info outside the block(s) formed by the BEGIN/END lines.

Method B is to use something else, most commonly OpenSSL but there are other tools, to generate the keypair (privatekey) and CSR, which is then used in the same fashion to obtain the certs. You can then use OpenSSL to combine the privatekey and certs into a PKCS12 file, which is a Java keystore, assuming your files are all in PEM format; a privatekey generated by OpenSSL always will be, and the cert(s) usually either will be or can be easily converted. If you are dealing with old versions of Java or Java programs that don't easily handle PKCS12 you can then use keytool -importkeystore to convert from PKCS12 to JKS, the format originally and 'traditionally' used by Java.

As an variant of either, you can use https://keystore-explorer.org (a GUI-based Java program) to create a keypair and CSR directly in/from a keystore (like keytool ) and then import the CA-issued and chain certs, or to import a privatekey generated by OpenSSL and the CA-issued and chain certs together into a keystore.

All these methods (and I'm pretty sure all variants) have been covered in existing Qs, as commented, but the As for self-signed (which is usually simpler when doing development, which is the topic of StackOverflow) tend to be more numerous so it takes a little effort to find the As (or Qs) about CA-issued, and the particular method and maybe variant you want. Trying to cover all possible cases, without knowing which you actually need, would probably take weeks or months.