When working with a Java Key Store (JKS) make sure to keep the initial .jks keystore file that you create the certificate signing request from (CSR).
When you create a JKS, it gets seeded with the private key (which you cannot really see or get at it, except with 3rd party tools/utilities). This private key is used to create the CSR, they are related. You cannot use the signed public certificate you get back with any other JKS ! Soemthing like this:
keytool -genkey -alias mystuff -keyalg RSA -keysize 2048 -keystore mystuff.jks -validity 1095 -dname CN=*.mystuff.com,OU=IT,O=MyOrg,L=London,T=London,C=GB
The CN= part of the -dname parameters is the url that you wish to encrypt/protect with SSL, make sure you get it correct or your SSL cert will be useless. Provided the above is all good, it will prompt you for a password of at least x6 characters, and then again to confirm. It will then prompt you twice for a password for the -alias that you specified. This should match the password you just used for the JKS keystore. It will then create a file ‘mystuff.jks’ that contains the embedded private key.
From the above JKS keystore, you will need to create a CSR to send away for use to sign your public key cert. Something like this:
keytool -certreq -alias mystuff -keystore mystuff.jks -file mystuff.csr
The -alias must match the -alias used when creating the JKS keystore. Again, this will prompt for the JKS keystore password. When complete, this will produce a CSR file called ‘mystuff.csr’ that you can send to a vendor to sign an SSL cert.
When the signed public key cert comes back, it *may* have chain trust certificated with it. If so, you should simply paste the plain text contents of all the certificates into a single plain ASCII file using an text editor. You should paste them in the order below:
-----BEGIN CERTIFICATE----- your public key in Base-64 encoded X.509 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- primary chain cert in Base-64 encoded X.509 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- secondary chain cert in Base-64 encoded X.509 -----END CERTIFICATE-----
Save the file as something like mystuff.cer
When you import the public cert, you must supply the same alias name that you used to create the private key and CSR, and the passwords for the JKS and the alias must all match. To import use:
keytool -import -alias mystuff -file mystuff.cer -keystore mystuff.jks
If all goes well, you should have x1 certificate in the store with a chain length of 3. To verify:
keytool -list -keystore mystuff.jks -alias mystuff -v Enter keystore password: Alias name: mystuff Creation date: 21-Oct-2013 Entry type: PrivateKeyEntry Certificate chain length: 3 Certificate:
The -v output should make it print out the details for all x3 certificates.
If you don’t like command line methods, then this tool is rather good