java - How to create a certificate with keytool?

Question

I've looked in 4 (yes, four) tutorials already and still don't get how to get this working.

After setting a second HTTP listener configured for HTTPS in my Glassfish 4.1.1 server, I'm trying to create a certificate, so I don't get security errors in my browser. The problem is, that I just don't get keytool working proper; it just messes up and throws strange errors whatever I do. Per example, it doesn't find some of the commands that many guides recommend.

I can guess that the tool changed in Java 8 or something else, I don't really know.

Thing is: I want to create a certificate, export it to my Glassfish server, and have HTTPS correctly implemented and working for testing purposes. What should I do for this?

EDIT: Seriously, I'm in a trouble because of this. I just can't do anything: cacerts password isn't the typical "changeit", I can't get my keys outside the keystore, and therefore I can't do anything with certificates.

Answer 1

If all you need to do is create a pair of self-signed certificates... I may be able to help.

On a Microsoft Windows Machine:

• Create an empty directory and save the below script there (GenTestCerts.ps1).
• Edit the script and change the Alias values (and other variables) to whatever you need.
• Execute the script.

Copy the server (tomcat.server.net.p12) cert to wherever your server expects it to be.

Copy the Trust Store (truststore.p12) to wherever your server expects it to be.

Install the admin (tomcat-admin.p12) cert in your Windows Key Store accepting the Root into your Trusted Root Certification Authorities section.

<#
    This sample Windows PowerShell script will:
        1.) Create a Certificate Authority
        2.) Create a Server Certificate signed by the Certificate Authority
        3.) Create a Client Certificate signed by the Certificate Authority
        4.) Create a TrustStore containing the public Certificate Authority key

    The first section defines variables
    The second section does the work

    All Key Stores are PKCS12

    The Server Certificate includes a Subject Alternative Name
        The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need

    You just have Java 7 (or higher) installed and keytool in your path
#>

<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"

<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"

<# Subject Alternative Name #>
$serverDNS="$serverAlias"

<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"

<# Trust Store #>
$trustCertName="truststore"

<# Key size and effective period #>
$keySize="4096"
$validity="365"

<# Key and Store Password #>
$certPassword="changeit"

<# ------------------------------------------------------------------------------------------ #>
<# ------------------  Use caution if you change anything below this line  ------------------ #>
<# ------------------------------------------------------------------------------------------ #>

$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"

rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"

echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
    -validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
    -storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
    -keystore "$authorityAlias.p12" -storepass "$certPassword"

echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
    -ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
    -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
    -keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"

echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
    -keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
    -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"

echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
    -storepass "$certPassword" -noprompt

echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"

Hope this helps.

Best, Ace