Java Keystores - jrwhetse/jrwhetse.github.io GitHub Wiki
- Overview
- List/Export Content
- Remove Certificate
- Server Identity Certificate
- Trusted Certificate Authorities
- Verify Certificates
- Import Multiple Certs
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – used for instance in SSL encryption. In Tomcat Application Server and Oracle WebLogic Server, a file with extension jks serves as keystore. Typically, KeyStores are broken up into two types: Identity and Trust. The Identity KeyStore holds the certificate chain for the server in which the application is being run. This is the certificate that gets presented to incoming ssl connections. The Trust KeyStore holds Certificate Authorities (CAs) that your application should trust, i.e. the CA's that signed the certificates that get presented from remote servers with outgoing requests.
Java - See Java Installation
# list contents
${JAVA_HOME}/bin/keytool -list -v -keystore {keystore-name}.jks
# list contents without password prompt
${JAVA_HOME}/bin/keytool -list -v -keystore {keystore-name}.jks -storepass {keystore-passphrase} -noprompt
# export contents to file
${JAVA_HOME}/bin/keytool -list -v -keystore {keystore-name}.jks -storepass {keystore-passphrase} -noprompt } {keystore-name}.jks.txt
# list aliases
${JAVA_HOME}/bin/keytool -list -v -keystore {keystore-name}.jks -storepass {keystore-passphrase} -noprompt | grep Alias | grep {alias}
# remove certificate
${JAVA_HOME}/bin/keytool -delete -alias {alias} -keystore {keystore-name}.jks
# remove certificate without password prompt
${JAVA_HOME}/bin/keytool -delete -alias {alias} -keystore {keystore-name}.jks -storepass {keystore-passphrase} -noprompt
The server identity certificate is a concatenation of the unique server certificate and the certificates of the certificate authorities that signed the unique server certificate. The certificate chain gets converted into a p12/pfx file and then imported into an Identity KeyStore. The certificate and the ca certificates get presented to incoming requests so incoming requests can determine if the connection can be trusted.
# create certificate chain
cat {fqdn}.crt {subca}.crt {rootca}.crt } {fqdn}.chain.crt
# create p12 certificate chain
openssl pkcs12 -export -inkey {host}.key -in {host}.chain.crt -out {host}.chain.p12
# import p12 certificate chain into keystore
${JAVA_HOME}/bin/keytool -v -importkeystore -srckeystore {host}.chain.p12 -srcstoretype PKCS12 -srcalias 1 -destkeystore {keystore}.jks -deststoretype JKS -destalias {alias}
# import p12 certificate chain into keystores without password prompt
${JAVA_HOME}/bin/keytool -v -importkeystore -srckeystore {host}.chain.p12 -srcstoretype PKCS12 -srcalias 1 -srcstorepass {src-keystore-passphrase} -destkeystore {keystore}.jks -deststoretype JKS -destalias {alias} -deststorepass {dest-keystore-passphrase}
Outgoing SSL connections to remote servers will be presented with a certificate chain. In order for the application to determine if the certificate being presented by the remote server can be trusted, the certificate authorities certificate must be in Trust KeyStore.
# import trusted ca certificate into keystore
${JAVA_HOME}/bin/keytool -importcert -trustcacerts -alias {alias} -file {name}.crt -keystore {keystore}.jks
# import trusted ca certificate into keystore without password prompt
${JAVA_HOME}/bin/keytool -importcert -trustcacerts -alias {alias} -file {name}.crt -keystore {keystore}.jks [-storepass {keystore-passphrase}]
# verify certificate
openssl x509 -inform pem -noout -text -in {host}.crt
# view certificate chain
openssl crl2pkcs7 -nocrl -certfile {host}.chain.crt | openssl pkcs7 -print_certs -text
# check certificate being presented
openssl s_client -showcerts -connect {fqdn}:{port}
#!/bin/bash
PEM_FILE=$1
PASSWORD=$2
KEYSTORE=$3
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
# step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE |
awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
#####################################################################################
# <keystore-name>.jks
#####################################################################################
# export/list keystore
keytool -list -v -keystore <keystore-name>.jks -storepass <keystore-passphrase> -noprompt > <keystore-name>.jks.txt
# search for certificate by alias
keytool -list -v -keystore <keystore-name>.jks -storepass <keystore-passphrase> -noprompt | grep Alias | grep <alias>
# remove certificate by alias
/usr/java/latest/bin/keytool -delete -alias <alias> -keystore <keystore-name>.jks -storepass <keystore-passphrase> -noprompt
# generate p12 file
openssl pkcs12 -export -inkey <host>.key -in <host>.crt -out <host>.p12 [-password pass:<certificate-private-key-passphrase>]
# import p12 file into keystore
/usr/java/latest/bin/keytool -v -importkeystore -srckeystore <host>.p12 -srcstoretype PKCS12 -srcalias 1 [-srcstorepass <src-keystore-passphrase>] -destkeystore <keystore>.jks -deststoretype JKS -destalias <alias> [-deststorepass <dest-keystore-passphrase>]
# create certificate chain File
cat <host>.crt <subca>.crt <rootca>.crt > <host>.chain.crt
# create p12 certificate chain
openssl pkcs12 -export -inkey <host>.key -in <host>.chain.crt -out <host>.chain.p12
# import p12 certificate chain into keystore
keytool -v -importkeystore -srckeystore <host>.chain.p12 -srcstoretype PKCS12 -srcalias 1 [-srcstorepass <src-keystore-passphrase>] -destkeystore <keystore>.jks -deststoretype JKS -destalias <alias> [-deststorepass <dest-keystore-passphrase>]
# import trusted ca certificate into keystore (rootca, subca1)
keytool -importcert -trustcacerts -alias <alias> -file <name>.crt -keystore <keystore>.jks [-storepass <keystore-passphrase>]
# import trusted ca certificate into keystore (option 2)
keytool -import -trustcacerts -alias <alias> -file <name>.crt -storetype jks -keystore <keystore>.jks [-storepass <keystore-passphrase>]
# view certificate
openssl x509 -inform pem -noout -text -in <host>.crt
# view certificate chain
openssl crl2pkcs7 -nocrl -certfile <host>.chain.crt | openssl pkcs7 -print_certs -text
# show certs and details
openssl s_client -showcerts -connect <host>:<port>