How to:
- Generate keystore
- Generate truststore
To make SSL work between client and server, I need help in only Generation of keystore and truststore for mutual authentication step-by-step guide with terminal commands(Keytool and openssl).
How to generate keystore and truststore
Asked Answered
The specific configuration would depend on the software you are using on the server and client end. Without further information on your specific setup, we could provide generic advice at most. –
Dercy
Thanks for the reply. I've changed the question. I've Fresh installed ubuntu 16 server machine. For making ssl connection between apps, First I need help to generate keystore, sign certificate, truststore and rest connection I'll do. –
Willms
You may want to check out this question or maybe this or this page for info on creating a keystore and truststore using keytool and openssl. –
Dercy
I followed This link.
1.Generate keystore(At server):
keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048
2.Generate new ca-cert and ca-key:
openssl req -new -x509 -keyout ca-key -out ca-cert
3.Extracting cert/creating cert sign req(csr):
keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file
4.Sign the “cert-file” and cert-signed wil be the new cert:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out
cert-signed -days 365 -CAcreateserial -passin pass:yourpass
5.importing the ca-cert to keystore file:
keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert
6.import cert-signed to keystore:
keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed
7.Copy ca-cert into client machine and generate truststore: (At client)
keytool -keystore truststore.jks -alias bmc -import -file ca-cert-s
8.Copy ca-cert into client machine and generate truststore: (At server)
keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c
**Repeat the step(1-6) at client side and generate truststore at server side by importing ca-cert of client(step 8)
Renamed ca-cert after step 6.
Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating truststore.
what doesn the
-alias bmc means? –
Samekh @KannanRamamoorthy -alias <keystore alias> option defines an alias fro your keystore. More infp -> #5725131 –
Abdella
Note on
-CAcreateserial. It creates a *.srl file to keep track of serial numbers (each signed certificate should have a different one). users.skynet.be/pascalbotte/art/server-cert.htm –
Magnate @Abdella -alias isn't creating an alias for the keystore. it creates an alias within the keystore for the certificate you just imported. to list a certificate you can use keytool -list -v -alias <certificate_alias> -keystore <keystore_filename> –
Ito
How do you generate ca-cert-s and ca-cert-c? –
Phage
As far as I understood, we have to create trust stores in client with the ca-cert of the server machine and vice versa. By doing that we mean to allow if a client with ca-cert-c (which is the ca-cert created in second step above on client side) tries to create a TLS connection with the server (which has a trust store that generated with the ca-cert-c of the client). Is it correct? @fmsf –
Nebraska
For Windows 11 that worked for me:
./keytool.exe -import -file dev.local.crt -keystore dev.local.jks
Found keytool.exe binary in C:\Program Files (x86)\Java\jre1.8.0_351\bin
Using this command I am able to create a truststore file for the given crt file: keytool -import -file -keystore
© 2022 - 2024 — McMap. All rights reserved.