Working with certificates can be a little confusing at times. This article aims to help give a brief understanding about the steps in creating a java keystore with the private key and a certificate signed by a certificate authority.
The article also discusses about how this changes when working with intermediate certificates and root certificates.
Step 1: Generate Private Key and Certificate Signing Request (CSR)
The openssl command can be used to generate a Private Key and Certificate Signing Request (CSR). A simple google search can reveal many articles on how to generate a Private Key and CSR using openssl based on the requirement, and more information can be gathered from the openssl documentation.
Step 2: Send the CSR to a Certificate Authority (CA) and obtain a Certificate
The generated CSR can be sent to a certificate authority such as DigiCert, VeriSign etc. and they will provide you with a certificate either in a .cer or .crt format.
Step 3: Generate the JKS using the Private Key and the Certificate from the CA
First we need to bundle the Private Key and the Obtained Certificate to form a pkcs12 archive. The following command can be used for this
openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in <CERTIFICATE_FROM_CA>.cer -out certificate.pkcs12
Next this bundled archive can be used to generate the java keystore with the following command.
keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks
Working with Intermediate and Root Certificates
Say you have already obtained a root certificate for <YOUR_DOMAIN>.com. Let’s call it as example.com. Now you plan on obtaining a certificate for <YOUR_SUB_DOMAIN>.<YOUR_DOMAIN>.com. Let’s call that as sub-ex.example.com. Now you have two separate certificates for these two domains. If you were to generate the JKS using only the sub-ex.example.com certificate, it may not fully work in some scenarios. For this purpose, CA’s provide us with intermediate certificates.
An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates
-ssl.com-
So these intermediate certificates chain the root certificate with the certificate provided to you. In this case it chains the example.com certificate with the sub-ex.example.com certificate. The relevant intermediate certificate will be provided to you by the CA when you purchase the SSL certificate.
If this is the case, we can not conduct Step 3 as above. Instead the following two steps need to be conducted.
Step 3a: Concatenate the certificate, the intermediate certificates and the root certificate to form one certificate.txt file
cat <YOUR_CERTIFICATE>.cer <INTERMEDIATE_CERTIFICATES>.cer <ROOT_CERTIFICATE>.cer > certificate.txt
Step 3b: Generate the JKS using the Private Key and the concatenated certificate file
As above, bundle the Private Key and the Concatenated Certificate file to form a pkcs12 archive with the following command,
openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in certificate.txt -out certificate.pkcs12
NOTE: Here certificate.txt is the concatenated certificate file
Next this bundled archive can be used to generate the java keystore.
keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks
Now this generated Java Keystore can be used for securing your application or environment.
Good Luck!
Pulasthi's Blog 