Generating a Java Keystore using SSL certificate, Private Key and Intermediate Certificate for HTTPS

Working with certificates can be a little confusing at times. This article aims to help give a brief understanding about the steps in creating a java keystore with the private key and a certificate signed by a certificate authority.

The article also discusses about how this changes when working with intermediate certificates and root certificates.

Step 1: Generate Private Key and Certificate Signing Request (CSR)

The openssl command can be used to generate a Private Key and Certificate Signing Request (CSR). A simple google search can reveal many articles on how to generate a Private Key and CSR using openssl based on the requirement, and more information can be gathered from the openssl documentation.

Step 2: Send the CSR to a Certificate Authority (CA) and obtain a Certificate

The generated CSR can be sent to a certificate authority such as DigiCert, VeriSign etc. and they will provide you with a certificate either in a .cer or .crt format.

Step 3: Generate the JKS using the Private Key and the Certificate from the CA

First we need to bundle the Private Key and the Obtained Certificate to form a pkcs12 archive. The following command can be used for this

openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in <CERTIFICATE_FROM_CA>.cer -out certificate.pkcs12

Next this bundled archive can be used to generate the java keystore with the following command.

keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks

Working with Intermediate and Root Certificates

Say you have already obtained a root certificate for <YOUR_DOMAIN>.com. Let’s call it as example.com. Now you plan on obtaining a certificate for <YOUR_SUB_DOMAIN>.<YOUR_DOMAIN>.com. Let’s call that as sub-ex.example.com. Now you have two separate certificates for these two domains. If you were to generate the JKS using only the sub-ex.example.com certificate, it may not fully work in some scenarios. For this purpose, CA’s provide us with intermediate certificates.

An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates

-ssl.com-   

So these intermediate certificates chain the root certificate with the certificate provided to you. In this case it chains the example.com certificate with the sub-ex.example.com certificate. The relevant intermediate certificate will be provided to you by the CA when you purchase the SSL certificate.

If this is the case, we can not conduct Step 3 as above. Instead the following two steps need to be conducted.

Step 3a: Concatenate the certificate, the intermediate certificates and the root certificate to form one certificate.txt file

cat <YOUR_CERTIFICATE>.cer <INTERMEDIATE_CERTIFICATES>.cer <ROOT_CERTIFICATE>.cer > certificate.txt

Step 3b: Generate the JKS using the Private Key and the concatenated certificate file

As above, bundle the Private Key and the Concatenated Certificate file to form a pkcs12 archive with the following command,

openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in certificate.txt -out certificate.pkcs12

NOTE: Here certificate.txt is the concatenated certificate file

Next this bundled archive can be used to generate the java keystore.

keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks

Now this generated Java Keystore can be used for securing your application or environment.

Good Luck!

Advertisements