How to generate keystore and truststore

25
votes

How to:

  1. Generate keystore
  2. Generate truststore

To make SSL work between client and server, I need help in only Generation of keystore and truststore for mutual authentication step-by-step guide with terminal commands(Keytool and openssl).

1
keystoretruststore
The specific configuration would depend on the software you are using on the server and client end. Without further information on your specific setup, we could provide generic advice at most.AfroThundr
Thanks for the reply. I've changed the question. I've Fresh installed ubuntu 16 server machine. For making ssl connection between apps, First I need help to generate keystore, sign certificate, truststore and rest connection I'll do.SOWMITHRA KUMAR G M
You may want to check out this question or maybe this or this page for info on creating a keystore and truststore using keytool and openssl.AfroThundr

1 Answers

39
votes

I followed This link.

1.Generate keystore(At server):

keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048

2.Generate new ca-cert and ca-key:

openssl req -new -x509 -keyout ca-key -out ca-cert

3.Extracting cert/creating cert sign req(csr):

keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file

4.Sign the “cert-file” and cert-signed wil be the new cert:

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out 
       cert-signed -days 365 -CAcreateserial -passin pass:yourpass

5.importing the ca-cert to keystore file:

keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert

6.import cert-signed to keystore:

keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed

7.Copy ca-cert into client machine and generate truststore: (At client)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert

8.Copy ca-cert into client machine and generate truststore: (At server)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c

**Repeat the step(1-6) at client side and generate truststore at server side by importing ca-cert of client(step 8)

Renamed ca-cert after step 6.

Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating truststore.