How to create a key store for HTTPS communication?

This page explains cases where your certificate needs to be signed by a certification authority.

More information available here: http://docs.oracle.com/javase/tutorial/security/sigcert/index.html#GenCSR.

The key store for the HTTPS communication must contain only one key. If several keys exist in the key store, the node will fail to start.


Create a key store and a cryptographic key

A new key store is created when a cryptographic key is created (i.e. empty key store cannot be created).

A cryptographic key is created with the -genkeypair command.

keytool -genkeypair [OPTION]...

Generates a key pair

Options:
 -alias <alias>                  alias name of the entry to process
 -keyalg <keyalg>                key algorithm name
 -keysize <keysize>              key bit size
 -sigalg <sigalg>                signature algorithm name
 -destalias <destalias>          destination alias
 -dname <dname>                  distinguished name
 -startdate <startdate>          certificate validity start date/time
 -ext <value>                    X.509 extension
 -validity <valDays>             validity number of days
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism


Example:

keytool -genkeypair -keystore https.keystore -storepass someP@ssword -alias adi -keypass someP@ssword -keyalg RSA -dname "CN=adihost"

Export the certificate signing request

A certificate signing request is created with the -certreq command:

keytool -certreq [OPTION]...

Generates a certificate request

Options:
 -alias <alias>                  alias name of the entry to process
 -sigalg <sigalg>                signature algorithm name
 -file <filename>                output file name
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -dname <dname>                  distinguished name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism


Example:

keytool -certreq -keystore https.keystore -storepass someP@ssword -alias adi -keypass someP@ssword -file https.csr


Send the resulting file to a certification authority.

Import the reply of the certification authority

The reply of the certification authority needs to be imported with the -importcert command:

keytool -importcert [OPTION]...

Imports a certificate or a certificate chain

Options:
 -noprompt                       do not prompt
 -trustcacerts                   trust certificates from cacerts
 -protected                      password through protected mechanism
 -alias <alias>                  alias name of the entry to process
 -file <filename>                input file name
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output


Example:

keytool -import -trustcacerts -keystore https.keystore -storepass someP@ssword -alias adi -keypass someP@ssword -file <certification authority reply file>

Related Links