The following procedure describes the creation of a JKS keystore that works perfectly with JBoss 5.0 application server. Tomcat probably uses the same type of keystore.
Create private key and Certificate Signing Request
You can create a private key in a Linux OS with the help of openssl utility.
Set umask to 077 so that the created file is only readable by the current user:
$ OLD_UMASK=`umask` (umask is inside backtick characters)
$ umask 077
Create a private key of 2048 bits length and store it in file private_key.pem
:
$ openssl genrsa 2048 > private_key.pem
Restore the file creation mask:
$ umask $OLD_MASK
You can create a Certificate Signing Request (CSR) with the command:
$ openssl req -new -key private_key.pem -nodes
Next you will have to answer various questions. Give special attention to the Common Name field that must match the Fully Qualified Domain Name of your server. The command generates the following text that comprises the CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIIBZYnPGQZK06tI6EKLGp7qmaFAIAe ...
....
-----END CERTIFICATE REQUEST-----
Generate a chain certificate
The procedure assumes that you have a (a) private key in file private_key.pem
, (b) a digital certificate that you have received from a Certificate Authority (CA) in file certificate.pem
and (c) a chain certificate that certifies the CA in file ca_chain_cert.pem
.
In case that your CA is certified by another authority CA1 that is finally certified by a root CA CA_ROOT (CA -> CA1 -> CA_ROOT) and the respective certificates are available in individual files ca_cert.pem
, ca1_cert.pem
and ca_root.pem
respectively, you can create the ca_chain_cert.pem
through the command:
$ cat ca_cert.pem ca1_cert.pem ca_root.pem > ca_chain_cert.pem
The chain certificate is generated by combining certificate.pem
with the ca_chain_cert.pem
:
$ cat certificate.pem ca_chain_cert.pem > chain.pem
The concept is that you must have a file that includes all certificates with the order:
- host certificate
- CA certificate
- CA1 certificate
- root CA certificate
Generate the JKS keystore
This step assumes that file chain.pem
includes the chain of certificates ,private_key.pem
the private key and certificate.pem
the server certificate that you received from the CA (first part of the chain).
Create a PKCS12 keystore in file keystore.p12
from the certificate chain and the private key with the following command:
$ openssl pkcs12 -export -name server_cert -in chain.pem -inkey private_key.pem -certfile certificate.pem -out keystore.p12
Write down the Export password as it will be used in all the following steps to have access to the keystore.
Create a JKS keystore in file server.keystore
from the PKCS12 keystore:
$ keytool -importkeystore -destkeystore server.keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias server_cert
You can list the certificates with the following command:
$ keytool -list -v -keystore server.keystore
Verify that the command output states the correct size of the certificate chain. In the case of CA, CA1 and CA_ROOT the size must be 4.