Trustsore and keystore - aidarko/dev-notes GitHub Wiki


                ===============================
                Prepare truststore and keystore
                ===============================
> [Optional] If ca.key and ca.crt does not exist
openssl req -new -x509 -keyout ca.key -out ca.crt -days 365

> create keystore with an unsigned cert
> be aware about Organization Unit, since it will be used for authentication
keytool -keystore keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA

> create sign request (CRS)
keytool -keystore keystore.jks -alias localhost -certreq -file keystore-sign-request

> sign
openssl x509 -req -CA ca.crt -CAkey ca.key \
  -in keystore-sign-request -out keystore-signed \
  -days 365 -CAcreateserial

> [Optional] Export key from keystore
openssl pkcs12 -in keystore.jks -nodes -nocerts -out private.key

> [Optional] Import CA and signed cert
keytool -keystore keystore.jks -alias CARoot -import -file ca.crt
keytool -keystore keystore.jks -alias localhost -import -file keystore-signed
> show certs
keytool -list -keystore client.keystore.jks -v
> remove cert from keystore
keytool -delete -noprompt -alias admin -keystore /path/to/keystore.jks