Generate Key From Crt Keytool
Recently I got the request to manually create a Java keystore (.jks) to be used on a linux-based webserver.
- Generate Key From Crt Keytool Tool
- Keytool Command To Generate Private Key
- Keytool Command To Create Keystore
The certificate to be used had two “issues”:
- It was provided as a .pfx file
- It didn’t contain the certificates of the intermediate CAs
Since I use a Windows 10 workstation, I had to assure, that Java was installed, in my case version 1.8.
So, in order to fulfill this request, the following steps were necessary:
Keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks. Generate a keystore and self-signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048. Check a stand-alone certificate. Keytool -printcert -v -file 8gwifi.crt. The keytool command to generate a key pair containing a public and private key.alias: The alias for the keystore. Replace intermediate.ca or server.crt with the actual file name. If your certificates are not provided as separate files, create a separate file for each certificate, and paste its contents into the file.
Keytool -v -list -storetype pkcs12 -keystore d: cert wildcard.pfx d: cert cert.txt. Open the file cert.txt and look for the line starting with “Aliasname:“. You’ll need it in the next step. The last step is now to import the certificate and its private key into the keystore by running the following command. Command: keytool -list -v -keystore identity.jks -storepass password - The ImportPrivateKey utility is used to load a private key into a private keystore file. You can use the CertGen utility to create a.key ( testkey ) and.crt ( testcert ) and then use the ImportPrivateKey utility to create a.jks file.
- Create a folder to collect all necessary files in. In my case, this was d:cert.
- Copy the following files to this folder
- The source .pfx file.
- The certificate of the root CA of the certificate.
- The certificate(s) of all intermediate CAs existing in the trust chain of the certificate.
In my case the folder contained the following files:
- wildcard.pfx
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSAOrganizationValidationSecureServerCA.crt
Now, we’ll use the keytool command inside the java installation folder (in my case C:Program FilesJavajre1.8.0_201bin to create the keystore and put all necessary files in there.
The first command puts the root CA’s certificate into the keystore. Since the key store doesn’t exist, it will create it automatically:
Note: Please replace the “xxx” behind “-storepass” with a reasonable password.
Now we import the other two CA certificates the same way:
In order to import the certificate, we first have to reveal the alias used. To do so, run the following command:
Generate Key From Crt Keytool Tool
Open the file cert.txt and look for the line starting with “Aliasname:“. You’ll need it in the next step.
The last step is now to import the certificate and its private key into the keystore by running the following command:
Keytool Command To Generate Private Key
Note: Please replace the “qqq” behind “-srcalias” with the alias, you noted in the previous step and the “xxx” behind “-deststorepass” with the password for the .jks file.
Keytool Command To Create Keystore
Now you can import the file to the destination machine and configure the web server to use it.