Creating a key and trust store with JSSE in Java

Server Keystore and Truststore:

  1. Open a command window.
  2. Go to your private directory under your web application directory.
    E.g. c:\Tomcat 4.1\webapps\CSI5389\private>
  3. Type the following command to create a keystore for the server. The keystore will have a private key associated with it.
    keytool –genkey –alias taserver –keyalg RSA –keystore server [Return]

It will ask for the following parameter value:

[Unknown]: taserver

[Unknown]: SITE

[Unknown]: University of Ottawa

[Unknown]: Ottawa

[Unknown]: Ontario

[Unknown]: CA

Is CN=taserver, OU=SITE, O=" University of Ottawa",

L= Ottawa, ST= Ontario, C=CA correct?

[no]: yes

Enter key password for < taserver>

(RETURN if same as keystore password): <Return>

  1. Type the following command to export the self-signed certificate:
  2. keytool -export -alias taserver -keystore server -rfc -file taserver.cer [Return]

    Enter keystore password: <password1>

  3. Copy the self-signed certificate into the directory Java_home\Jre\Lib\Security
  4. Change your directory to Java_home\Jre\Lib\Security>
  5. Import the self-signed certificate to a trust store.
  6. keytool -import -alias ca -file taserver.cer -keystore cacerts –storepass changeit [Return]

    Trust this certificate: [Yes]

    [Here we are importing the self-signed certificate into truststore by an alias name ca. The default password of cacerts is changeit.]

  7. If you make a mistake, you can delete the alias ca from the truststore cacerts by the following command, and then follow step 7 again.:

Keytool –delete –alias ca –keystore cacerts –storepass changeit [Return]

Client Keystore and Truststore:

  1. Open a command window.
  2. Go to your private directory under your web application directory.
    E.g. c:\Tomcat 4.1\webapps\CSI5389\private>
  3. Type the following command to create a keystore for the server. The keystore will have a private key associated with it.
    keytool –genkey –alias taclient –keyalg RSA –keystore client [Return]

It will ask for the following parameter value:

[Unknown]: taclient

[Unknown]: SITE

[Unknown]: University of Ottawa

[Unknown]: Ottawa

[Unknown]: Ontario

[Unknown]: CA

Is CN=taserver, OU=SITE, O=" University of Ottawa",

L= Ottawa, ST= Ontario, C=CA correct?

[no]: yes

Enter key password for < taserver>

(RETURN if same as keystore password): <Return>

  1. Type the following command to export the self-signed certificate:
  2. keytool -export -alias taclient -keystore client -rfc -file taclient.cer [Return]

    Enter keystore password: <password2>

  3. Copy the self-signed certificate into the directory Java_home\Jre\Lib\Security
  4. Change your directory to Java_home\Jre\Lib\Security>
  5. Import the self-signed certificate to the same trust store.
  6. keytool -import -alias ca1 -file taclient.cer -keystore cacerts –storepass changeit [Return]

    Trust this certificate: [Yes]

    [Here we are importing the self-signed certificate into truststore by an alias name ca1. The default password of cacerts is changeit.]

  7. If you make a mistake, you can delete the alias ca from the truststore cacerts by the following command, and then follow step 7 again.:

Keytool –delete –alias ca1 –keystore cacerts –storepass changeit [Return]