Decision Insight 20190527 (Latest) How to create a key store for HTTPS communication? This page explains cases where your certificate needs to be signed by a certification authority. More information available here: http://docs.oracle.com/javase/tutorial/security/sigcert/index.html#GenCSR. The key store for HTTPS communication must contain only one key. If several keys exist in the key store, the node will fail to start. Create a key store and a cryptographic key A new key store is created when a cryptographic key is created (i.e. empty key store cannot be created). A cryptographic key is created with the -genkeypair command. keytool -genkeypair [OPTION]... Generates a key pair Options: -alias <alias> alias name of the entry to process -keyalg <alg> key algorithm name -keysize <size> key bit size -sigalg <alg> signature algorithm name -destalias <alias> destination alias -dname <name> distinguished name -startdate <date> certificate validity start date/time -ext <value> X.509 extension -validity <days> validity number of days -keypass <arg> key password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output -protected password through protected mechanism Security concerns keysize: must be at least 2048bit storepass/keypass: should be different storetype: use PKCS12 (industry standard format) instead of JKS (proprietary format and less secure). Example: keytool -genkeypair -alias adi -dname "CN=adihost" -keystore https.keystore -storepass someP@ssword -storetype PKCS12 -keypass myKeyP@ssword -keyalg RSA -keysize 2048 Export the certificate signing request A certificate signing request is created with the -certreq command: keytool -certreq [OPTION]... Generates a certificate request Options: -alias <alias> alias name of the entry to process -sigalg <alg> signature algorithm name -file <file> output file name -keypass <arg> key password -keystore <keystore> keystore name -dname <name> distinguished name -ext <value> X.509 extension -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output -protected password through protected mechanism Example: keytool -certreq -alias adi -keystore https.keystore -storepass someP@ssword -keypass myKeyP@ssword -file https.csr Send the resulting file to a certification authority. Certificate generation concern When the signed certificate is received, check validity: period during which the certificate is valid (e.g. using keytool and gencert command, use attribute: -validity 3650) extension: SAN (Subject Alternative Name) is a mandatory certificate extension for the majority of browsers: If it's not present, the browser will warn the user and mark the certificate as not secure. It can be set with dns (using the FQDN of the server) or ip (e.g. using keytool and gencert command, use attribute: -ext SAN=dns:my.fqn.axway.int). Import the reply of the certification authority The reply of the certification authority needs to be imported with the -importcert command: keytool -importcert [OPTION]... Imports a certificate or a certificate chain Options: -noprompt do not prompt -trustcacerts trust certificates from cacerts -protected password through protected mechanism -alias <alias> alias name of the entry to process -file <file> input file name -keypass <arg> key password -keystore <keystore> keystore name -cacerts access the cacerts keystore -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output Example: // import certification authority reply file keytool -importcert -alias adi -keystore https.keystore -storepass someP@ssword -file <certification authority reply file> Related Links
How to create a key store for HTTPS communication? This page explains cases where your certificate needs to be signed by a certification authority. More information available here: http://docs.oracle.com/javase/tutorial/security/sigcert/index.html#GenCSR. The key store for HTTPS communication must contain only one key. If several keys exist in the key store, the node will fail to start. Create a key store and a cryptographic key A new key store is created when a cryptographic key is created (i.e. empty key store cannot be created). A cryptographic key is created with the -genkeypair command. keytool -genkeypair [OPTION]... Generates a key pair Options: -alias <alias> alias name of the entry to process -keyalg <alg> key algorithm name -keysize <size> key bit size -sigalg <alg> signature algorithm name -destalias <alias> destination alias -dname <name> distinguished name -startdate <date> certificate validity start date/time -ext <value> X.509 extension -validity <days> validity number of days -keypass <arg> key password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output -protected password through protected mechanism Security concerns keysize: must be at least 2048bit storepass/keypass: should be different storetype: use PKCS12 (industry standard format) instead of JKS (proprietary format and less secure). Example: keytool -genkeypair -alias adi -dname "CN=adihost" -keystore https.keystore -storepass someP@ssword -storetype PKCS12 -keypass myKeyP@ssword -keyalg RSA -keysize 2048 Export the certificate signing request A certificate signing request is created with the -certreq command: keytool -certreq [OPTION]... Generates a certificate request Options: -alias <alias> alias name of the entry to process -sigalg <alg> signature algorithm name -file <file> output file name -keypass <arg> key password -keystore <keystore> keystore name -dname <name> distinguished name -ext <value> X.509 extension -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output -protected password through protected mechanism Example: keytool -certreq -alias adi -keystore https.keystore -storepass someP@ssword -keypass myKeyP@ssword -file https.csr Send the resulting file to a certification authority. Certificate generation concern When the signed certificate is received, check validity: period during which the certificate is valid (e.g. using keytool and gencert command, use attribute: -validity 3650) extension: SAN (Subject Alternative Name) is a mandatory certificate extension for the majority of browsers: If it's not present, the browser will warn the user and mark the certificate as not secure. It can be set with dns (using the FQDN of the server) or ip (e.g. using keytool and gencert command, use attribute: -ext SAN=dns:my.fqn.axway.int). Import the reply of the certification authority The reply of the certification authority needs to be imported with the -importcert command: keytool -importcert [OPTION]... Imports a certificate or a certificate chain Options: -noprompt do not prompt -trustcacerts trust certificates from cacerts -protected password through protected mechanism -alias <alias> alias name of the entry to process -file <file> input file name -keypass <arg> key password -keystore <keystore> keystore name -cacerts access the cacerts keystore -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output Example: // import certification authority reply file keytool -importcert -alias adi -keystore https.keystore -storepass someP@ssword -file <certification authority reply file>