For the list of all supported Decision Insight downloads and releases, see the Downloads page.

How to create a key store for HTTPS communication?

This page explains cases where your certificate needs to be signed by a certification authority.

More information available here: http://docs.oracle.com/javase/tutorial/security/sigcert/index.html#GenCSR.

The key store for  HTTPS communication must contain only one key. If several keys exist in the key store, the node will fail to start.

Create a key store and a cryptographic key

A new key store is created when a cryptographic key is created (i.e. empty key store cannot be created).

A cryptographic key is created with the -genkeypair command.

keytool -genkeypair [OPTION]...

Generates a key pair

Options:
 -alias <alias>          alias name of the entry to process
 -keyalg <alg>           key algorithm name
 -keysize <size>         key bit size
 -sigalg <alg>           signature algorithm name
 -destalias <alias>      destination alias
 -dname <name>           distinguished name
 -startdate <date>       certificate validity start date/time
 -ext <value>            X.509 extension
 -validity <days>        validity number of days
 -keypass <arg>          key password
 -keystore <keystore>    keystore name
 -storepass <arg>        keystore password
 -storetype <type>       keystore type
 -providername <name>    provider name
 -addprovider <name>     add security provider by name (e.g. SunPKCS11)
   [-providerarg <arg>]    configure argument for -addprovider
 -providerclass <class>  add security provider by fully-qualified class name
   [-providerarg <arg>]    configure argument for -providerclass
 -providerpath <list>    provider classpath
 -v                      verbose output
 -protected              password through protected mechanism

Security concerns

  • keysize: must be at least 2048bit
  • storepass/keypass: should be different
  • storetype: use PKCS12 (industry standard format) instead of JKS (proprietary format and less secure).


Example:

keytool -genkeypair -alias adi -dname "CN=adihost" -keystore https.keystore -storepass someP@ssword -storetype PKCS12 -keypass myKeyP@ssword -keyalg RSA -keysize 2048

Export the certificate signing request

A certificate signing request is created with the -certreq command:

keytool -certreq [OPTION]...

Generates a certificate request

Options:
 -alias <alias>          alias name of the entry to process
 -sigalg <alg>           signature algorithm name
 -file <file>            output file name
 -keypass <arg>          key password
 -keystore <keystore>    keystore name
 -dname <name>           distinguished name
 -ext <value>            X.509 extension
 -storepass <arg>        keystore password
 -storetype <type>       keystore type
 -providername <name>    provider name
 -addprovider <name>     add security provider by name (e.g. SunPKCS11)
   [-providerarg <arg>]    configure argument for -addprovider
 -providerclass <class>  add security provider by fully-qualified class name
   [-providerarg <arg>]    configure argument for -providerclass
 -providerpath <list>    provider classpath
 -v                      verbose output
 -protected              password through protected mechanism


Example:

keytool -certreq -alias adi -keystore https.keystore -storepass someP@ssword -keypass myKeyP@ssword -file https.csr

Send the resulting file to a certification authority.

Certificate generation concern

When the signed certificate is received, check

  • validity: period during which the certificate is valid (e.g. using keytool and gencert command, use attribute: -validity 3650)
  • extension: SAN (Subject Alternative Name) is a mandatory certificate extension for the majority of browsers:
    • If it's not present, the browser will warn the user and mark the certificate as not secure.
    • It can be set with dns (using the FQDN of the server) or ip (e.g. using keytool and gencert command, use attribute: -ext SAN=dns:my.fqn.axway.int).

Import the reply of the certification authority

The reply of the certification authority needs to be imported with the -importcert command:

keytool -importcert [OPTION]...

Imports a certificate or a certificate chain

Options:
 -noprompt               do not prompt
 -trustcacerts           trust certificates from cacerts
 -protected              password through protected mechanism
 -alias <alias>          alias name of the entry to process
 -file <file>            input file name
 -keypass <arg>          key password
 -keystore <keystore>    keystore name
 -cacerts                access the cacerts keystore
 -storepass <arg>        keystore password
 -storetype <type>       keystore type
 -providername <name>    provider name
 -addprovider <name>     add security provider by name (e.g. SunPKCS11)
   [-providerarg <arg>]    configure argument for -addprovider
 -providerclass <class>  add security provider by fully-qualified class name
   [-providerarg <arg>]    configure argument for -providerclass
 -providerpath <list>    provider classpath
 -v                      verbose output


Example:

// import certification authority reply file
keytool -importcert -alias adi -keystore https.keystore -storepass someP@ssword -file <certification authority reply file>

Related Links