Thursday, July 8, 2010

How to Create Client/Server Keystores using Java Keytool

Here I have described how to create client/server keystores which can be used to secure Axsi2 webservices and invoke Axis2 secured webservices. i.e. It can be easily used with any WSO2 Product to experience security scenarios.More detailed explanation on creating client/server keystores using openssl including Certificate Authority(CA) Requests, can be found at http://wso2.org/library/174.

Java keytool stores the keys and certificates in a keystore, protected by a keystore password. Further, it protects private key again with another password. A Java keystore contains private-public key pair and multiple trusted certificate entries. All entries in a keystore are referred by aliases. Both private key and self signed public key is referred by one alias while any other trusted certificates are referred by different individual aliases.

As the first step, let's create a keystore for server. In order to do it, execute following command in a terminal. "server" in the following command corresponds to the private key/self signed public key certificate alias in the keystore while "server.jks" is the name of the creating keystore file.
keytool -genkey -alias server -keyalg RSA -keystore server.jks
when you execute the above command it will first prompt you to specify a password which is corresponded to the keystore password. Then it will prompt several questions. You can give answers that you wish. At the end it will ask for a password again, which will be used to secure the generated private key.
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
[Unknown]:  Ruchira Wageesha
What is the name of your organizational unit?
[Unknown]:  Mashup Server
What is the name of your organization?
[Unknown]:  WSO2
What is the name of your City or Locality?
[Unknown]:  Ahangama
What is the name of your State or Province?
[Unknown]:  Southern
What is the two-letter country code for this unit?
[Unknown]:  LK
Is CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK correct?
[no]: yes
Enter key password for 
(RETURN if same as keystore password):
Once you successfully completed this, java keytool will create a file named "server.jks". In the same way, you can create a client keystore named "client.jks" with the alias "client" using following command.
keytool -genkey -alias client -keyalg RSA -keystore client.jks
Now, you have two files named client.jks and server.jks. You can view the content of these keystore files using the following command. Replacess "ruchira" with the keystore password you entered while creating the keystore.
keytool -list -v -keystore server.jks -storepass ruchira
This will list something like this.
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Jul 8, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Issuer: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Serial number: 4c356225
Valid from: Thu Jul 08 10:59:09 IST 2010 until: Wed Oct 06 10:59:09 IST 2010
Certificate fingerprints:
MD5:  60:0B:48:0D:DB:56:8C:68:8C:2D:94:4A:D6:DA:04:B8
SHA1: A7:CE:57:10:70:87:C1:2C:C0:9D:1D:90:8C:BB:69:B6:66:26:97:13
Signature algorithm name: SHA1withRSA
Version: 3


*******************************************
*******************************************
The next step is, getting server's self signed public key certificate and storing it in client's keystore. And getting and storing client's self signed public key certificate in server's keystore. In order to do that, first we need to export both server and client public key certificates into files. Using the following command, you can export server's public key certificate into server.cert file and client's public key certificate into client.cert file.
keytool -export -file server.cert -keystore server.jks -storepass ruchira -alias server
keytool -export -file client.cert -keystore client.jks -storepass ruchira -alias client
Now you have server.cert and client.cert. You can use following commands to view certificate contents.
keytool -printcert -v -file server.cert
keytool -printcert -v -file client.cert
As the last step, we need to import server.cert into client keystore and client.cert into server keystore. As I mentioned earlier, each entry of a Java Keystore is stored against an alias. So, we need to specify aliases here, which will be used to refer the certificates that we are going to store.
keytool -import -file client.cert -keystore server.jks -storepass ruchira -alias client
Above command will store client's self signed public key certificate(client.cert) in server.jks against the alias "client". So, using "client" alias on server.jks, we can refer client's certificate anytime. Likewise, following command will store server.cert within client.jks against the alias "server".
keytool -import -file server.cert -keystore client.jks -storepass ruchira -alias server
After all, please view the content of both keystore again using following commands.
keytool -list -v -keystore server.jks -storepass ruchira
keytool -list -v -keystore client.jks -storepass ruchira
It will give you something like bellow for server.jks
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: server
Creation date: Jul 8, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Issuer: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Serial number: 4c3562a0
Valid from: Thu Jul 08 11:01:12 IST 2010 until: Wed Oct 06 11:01:12 IST 2010
Certificate fingerprints:
MD5:  AB:77:72:F1:0D:09:55:E3:B6:D3:DC:A6:4D:D4:39:36
SHA1: D7:C1:60:5C:7E:34:40:A9:0B:E4:2C:65:6C:E0:79:7C:EE:37:A7:19
Signature algorithm name: SHA1withRSA
Version: 3


*******************************************
*******************************************


Alias name: client
Creation date: Jul 8, 2010
Entry type: trustedCertEntry

Owner: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Issuer: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Serial number: 4c356225
Valid from: Thu Jul 08 10:59:09 IST 2010 until: Wed Oct 06 10:59:09 IST 2010
Certificate fingerprints:
MD5:  60:0B:48:0D:DB:56:8C:68:8C:2D:94:4A:D6:DA:04:B8
SHA1: A7:CE:57:10:70:87:C1:2C:C0:9D:1D:90:8C:BB:69:B6:66:26:97:13
Signature algorithm name: SHA1withRSA
Version: 3


*******************************************
*******************************************

something like below for client.jks
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: server
Creation date: Jul 8, 2010
Entry type: trustedCertEntry

Owner: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Issuer: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Serial number: 4c3562a0
Valid from: Thu Jul 08 11:01:12 IST 2010 until: Wed Oct 06 11:01:12 IST 2010
Certificate fingerprints:
MD5:  AB:77:72:F1:0D:09:55:E3:B6:D3:DC:A6:4D:D4:39:36
SHA1: D7:C1:60:5C:7E:34:40:A9:0B:E4:2C:65:6C:E0:79:7C:EE:37:A7:19
Signature algorithm name: SHA1withRSA
Version: 3


*******************************************
*******************************************


Alias name: client
Creation date: Jul 8, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Issuer: CN=Ruchira Wageesha, OU=Mashup Server, O=WSO2, L=Ahangama, ST=Southern, C=LK
Serial number: 4c356225
Valid from: Thu Jul 08 10:59:09 IST 2010 until: Wed Oct 06 10:59:09 IST 2010
Certificate fingerprints:
MD5:  60:0B:48:0D:DB:56:8C:68:8C:2D:94:4A:D6:DA:04:B8
SHA1: A7:CE:57:10:70:87:C1:2C:C0:9D:1D:90:8C:BB:69:B6:66:26:97:13
Signature algorithm name: SHA1withRSA
Version: 3


*******************************************
*******************************************
If everything went well, you might have successfully created server.jks and client.jks which can be used to secure Axis2 Services and access those secured services.

You can also find a summary of Java keytool commands at http://ruchirawageesha.blogspot.com/2010/07/java-keytool-keystore-commands.html
Posted by at
Labels: , ,

55 comments:

  1. winsgSeptember 26, 2010 at 8:39 PM

    Hi,

    This is a great, very informative tutorial. Thanks! I have one question though. How can the server/service know which of his clients is accessing the service?

    Thanks.

    ReplyDelete
  2. AnonymousJuly 25, 2011 at 8:20 AM

    Thanks, very much
    Aleksandar Bosancic

    ReplyDelete
  3. juddiJanuary 8, 2012 at 11:19 PM

    This comment has been removed by the author.

    ReplyDelete
  4. Sukhkhuyag TSerendagvaJanuary 8, 2012 at 11:20 PM

    Hi
    Thanks for your great post. It's very useful. I did my keystore problems.

    thanks
    juddi

    ReplyDelete
  5. AnonymousJune 30, 2012 at 4:50 PM

    Thanks a lot Wageesha for a very informative and to the point article on keystores.
    This helped me a lot !

    ReplyDelete
  6. Pectus ExcavatumNovember 8, 2012 at 9:30 AM

    This is a great post, but does anyone know about how you can validate a digital signature using the public cert? within a java program?

    ReplyDelete
  7. AnonymousNovember 30, 2012 at 8:50 AM

    Thanks, you saved me a lot of time !

    ReplyDelete
  8. AnonymousMay 6, 2013 at 7:26 AM

    Thanks

    ReplyDelete
  9. AnonymousMay 29, 2013 at 6:05 AM

    This is by far the most clear explanation that I've seen. Thanks!

    ReplyDelete
  10. AnonymousMay 30, 2013 at 8:56 AM

    That was nice for me.I used the server certificate for apache ftp server.
    Thanks..!!

    ReplyDelete
  11. teledynJune 3, 2013 at 12:46 PM

    the server that I need to contact supplied a pem file that contains a PrivateKey section above the Certificate section and keystore won't import that -- is there some other method for importing this key? I know the key works because I can use curl --cert key+cert.pem --cacert ca.pem and this contacts the remote site correctly, but I haven't been able to find an equivalent method through java. Any advice you can share on this would be most welcome.

    ReplyDelete
  12. AnonymousJune 21, 2013 at 12:43 AM

    Many thanks for the nice article...very well explained...

    ReplyDelete
  13. LokeshJuly 10, 2013 at 3:10 AM

    Thanks for the nice article.

    ReplyDelete
  14. AmilarajansJuly 22, 2013 at 4:56 AM

    thanks man,nice tutorial

    ReplyDelete
  15. Prashant KushwahaAugust 8, 2013 at 4:13 AM

    Thanks for simple and clear explanation ...

    ReplyDelete
  16. BhaveshAugust 28, 2013 at 6:07 AM

    Hi i was following steps which you described
    and got error javax.net.ssl.SSLException: hostname in certificate didn't match :

    ReplyDelete
  17. mumstar1969September 10, 2013 at 2:03 AM

    How do I create a new password in keystore? What exactly do I need to type in?

    ReplyDelete
  18. AnonymousSeptember 27, 2013 at 3:04 AM

    gr8... good info..

    ReplyDelete
    Replies
    1. UnknownOctober 2, 2013 at 11:15 PM

      This is a very good tutorial. Thank you very much.

      Delete
    2. UnknownDecember 1, 2013 at 8:03 AM

      in google chrome showing Certificate-based authentication failed showing error Error code: ERR_BAD_SSL_CLIENT_AUTH_CERT after your instructions i configure in tomcat


      and place their corresponding .jks in dir and also import client.cert in google chrome, can any one guess about this matter...

      Delete
  19. AnonymousNovember 26, 2013 at 4:33 AM

    ThankYou..I just use this site whenever I need to configure the certificates.... :)

    ReplyDelete
  20. AnonymousDecember 16, 2013 at 9:36 PM

    This blog has been really very helpful to me...thanks a lot...:)

    ReplyDelete
  21. raviFebruary 11, 2014 at 10:43 PM

    thanks a lot....Great Help

    ReplyDelete
  22. UnknownMarch 13, 2014 at 11:19 AM

    Thanks a lot, it helped me very much

    ReplyDelete
  23. AmeenMay 13, 2014 at 4:33 AM

    Wowww! Very neatly compiled and contains everything needed for SSL communication.. Great job Wageesha!!!

    ReplyDelete
  24. Kunal BhattacharyaJune 7, 2014 at 11:17 PM

    Many many thanks Dear...It's very neat and clean step by step approach to learn this thing..Really very great job...

    ReplyDelete
  25. AnonymousJuly 16, 2014 at 12:20 PM

    Great article!

    ReplyDelete
  26. Dhawan ShringiAugust 17, 2014 at 8:54 PM

    Thanks Wageesha, your article saved a lot of my time :)
    Keep up the good work !

    ReplyDelete
  27. AnonymousSeptember 25, 2014 at 11:36 AM

    nice one.

    ReplyDelete
  28. AnonymousOctober 29, 2014 at 12:10 AM

    V Nice article

    ReplyDelete
  29. AnonymousNovember 4, 2014 at 9:39 AM

    Concise and informative. Very helpful! Great job!

    ReplyDelete
  30. AnarDecember 11, 2014 at 8:33 AM

    Thank you, very helpful!

    ReplyDelete
  31. electronic signature softwareJune 3, 2015 at 10:48 AM

    Thank you so much for taking the time to share this information. A great read. I’ll certainly be back.

    ReplyDelete
  32. AnonymousOctober 7, 2015 at 1:20 AM

    Great post... worked smoothly. Thank you!

    ReplyDelete
  33. ShamilNovember 4, 2015 at 3:05 AM

    Great post..Thank you

    ReplyDelete
  34. UnknownFebruary 8, 2016 at 2:41 PM

    Thanks. This was usefull. But has a question. In this case, is it not vulnerable that if someone gets hold of either of these .jks files, they can pretend to be client or server when they are actually not.

    ReplyDelete
    Replies
    1. AnonymousApril 22, 2016 at 1:09 AM

      If your client.jks has been stolen, the thief will be consider has the client. To protect you against this you should add a VPN on the top.

      Delete
  35. UnknownFebruary 11, 2016 at 12:06 PM

    Thank you this is amazing...

    ReplyDelete
  36. UnknownMarch 19, 2016 at 5:15 AM

    thanks, it is great tutorial

    ReplyDelete
  37. Robert PardridgeMay 20, 2016 at 4:28 PM

    Thanks so much for the great tutorial

    ReplyDelete
  38. Franklin MedinaMay 27, 2016 at 5:48 AM

    Same comment as Anonymous:
    --> This is by far the most clear explanation that I've seen. Thanks!

    ReplyDelete
  39. AnonymousJanuary 17, 2017 at 9:49 PM

    Great tutorial.Thank you so much.Can you please specficy how to convert the client trust store into .pem format .

    ReplyDelete
  40. melbourne seo servicesNovember 28, 2017 at 10:37 PM

    Thank you for sharing this powerful article, your explanation is clear and very easy to understand. Please kindly visit our site to get more information about IT solution.

    ReplyDelete
  41. AnonymousJanuary 2, 2018 at 5:08 AM

    Business Loan in Dubai
    Small Business Loans
    Fast Business Loan

    ReplyDelete
  42. AnonymousMarch 4, 2018 at 12:42 AM

    Work Visa for Canada
    Canada Immigration Services
    canada tourist visa

    ReplyDelete
  43. LucySeptember 30, 2018 at 4:01 PM

    I am happy to comment on this

    ReplyDelete
  44. Emily BrianOctober 18, 2018 at 6:08 PM


    Extraordinary blog in all aspects:) Thanks for sharing
    Click Here : used-bakhoe 420f 0skr02123 for sale

    ReplyDelete
  45. UnknownOctober 19, 2018 at 4:01 PM


    Excellent read, I just passed this onto a colleague who was doing a little research on that.
    Click Here : essay writers uk

    ReplyDelete
  46. Online TipsApril 29, 2019 at 10:09 AM

    Looking for the Best Minecraft Server to play on? Want to advertise your minecraft server? Find them right here on our Minecraft Multiplayer Servers List. Cheap Minecraft Advertising

    ReplyDelete
  47. DannyTeeMay 1, 2019 at 4:08 AM

    This is the most understandable and clear explanation on how to do it!Especially for beginners! I wish I found this blog sooner!
    Again Thankyou!

    ReplyDelete
  48. jerrysproductreviewsJuly 16, 2019 at 4:44 PM

    I think you did an adequate job of explaining this. Thanks for investing time into this topic. www spectrummobile com activate

    ReplyDelete
  49. AnonymousOctober 1, 2019 at 6:32 AM

    Thanks Buddy.

    ReplyDelete
  50. RoddyMarch 21, 2020 at 9:59 AM

    I really like this concept. Hoping to continue the new ideas with professional excellence. Thanks for sharing.
    mywakehealth
    www.mymilestoneCard.com
    securitasepay
    payonlineticket
    myinsuranceinfo

    ReplyDelete
  51. Anna R. IbanezApril 4, 2020 at 5:55 AM

    I love the article and the meal looks delicious. It’s worth a try on my end, I got 30 minutes to spare.
    login bank account
    Get payment through bank account
    Activate Your New Cabelas Club Credit Card
    Activate Your New Cabelas Club Credit Card
    Application, Activation, and Payment

    ReplyDelete
  52. AnonymousAugust 13, 2024 at 11:31 PM

    Cool and I have a neat offer: Full House Reno house reno shows

    ReplyDelete

Subscribe to: Post Comments (Atom)