Generating keystore using JAVA keytool

Overview


keytool is a key and certificate management utility.It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. Its based on public key encryption method.


keytool stores the keys and certificates in a so-called keystore. 


Keystore contains:
             1. key entries
             2. Trusted certificate entries


In this post I have tried to explain how to use the Java Keytool to generate the keystore and certificate.

Following are the steps below to generate Java keystores for the consumer(A) and producer(B) :

1. Use below command to generate keystore:
 keytool -genkeypair  -keyalg RSA -keypass welcome1 -keystore consum
er_A.jks  -storepass welcome1
What is your first and last name?
  [Unknown]:  John
What is the name of your organizational unit?
  [Unknown]:  Smith
What is the name of your organization?
  [Unknown]:  SmithCop
What is the name of your City or Locality?
  [Unknown]:  Mumbai
What is the name of your State or Province?
  [Unknown]:  MH
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=John, OU=Smith, O=SmithCop, L=Mumbai, ST=MH, C=IN correct?
  [no]:  y



The above command will create "consumer_A.jks" keystore file.


Desc:
key_password is the password for the new public key, (for example, welcome1)

keystore is the keystore name, (for example, consumer.jks)
keystore_password is the keystore password, (for example, welcome1)


Note:
You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements

2. Export the public key for the consumer:

C:\>keytool -exportcert -keystore consumer_A.jks -storepass welcome -rfc -file A_Cert
Certificate stored in file <A_Cert>

Desc:
keystore is the keystore name, (for example, consumer.jks)
keystore_password is the keystore password, (for example, welcome1)
certificate_file is the file name for the certificate to export the key to (for example, consumer.cer)

3. Generate the producer keystore by importing the trusted certificate of the consumer:


C:\>keytool -importcert -file A_cert -keystore producer.jks -storepass
welcome1
Owner: CN=John, OU=Smith, O=SmithCop, L=Mumbai, ST=MH, C=IN
Issuer: CN=John, OU=Smith, O=SmithCop, L=Mumbai, ST=MH, C=IN
Serial number: 4e9fb035
Valid from: Thu Oct 20 10:53:01 IST 2011 until: Wed Jan 18 10:53:01 IST 2012
Certificate fingerprints:
         MD5:  47:22:51:F0:72:9B:B2:3C:B9:B3:D7:26:66:29:FD:CD
         SHA1: 55:D5:7C:6C:20:A4:03:EA:8B:5C:FD:A8:C4:5F:C4:9F:86:15:1B:40
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 52 2F 76 3E 5F 42 C0 74   0A BA 90 EB BB 1F C5 61  R/v>_B.t.......a
0010: DE 72 46 DC                                        .rF.
]
]

Trust this certificate? [no]:  y
Certificate was added to keystore

Note: 
producer.jks keystore file for producer will be generate at the location.

4. Generate the key pair for the producer


C:\>keytool -genkeypair -alias pro_key -keyalg RSA  -keypass welcome1 -
keystore producer.jks -storepass welcome1
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:  TOM
What is the name of your organization?
  [Unknown]:  TOM
What is the name of your City or Locality?
  [Unknown]:  MUMBAI
What is the name of your State or Province?
  [Unknown]:  MH
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Unknown, OU=TOM, O=TOM, L=MUMBAI, ST=MH, C=IN correct?
  [no]:  y


5. List the contents of the keystore:

C:\>keytool -list -v -keystore producer.jks -storepass welcome1

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: pro_key
Creation date: 20 Oct, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=TOM, O=TOM, L=MUMBAI, ST=MH, C=IN
Issuer: CN=Unknown, OU=TOM, O=TOM, L=MUMBAI, ST=MH, C=IN
Serial number: 4e9fb478
Valid from: Thu Oct 20 11:11:12 IST 2011 until: Wed Jan 18 11:11:12 IST 2012
Certificate fingerprints:
         MD5:  3C:EC:6F:88:61:0E:EC:3A:FF:45:AB:90:27:2A:53:E9
         SHA1: 62:CB:68:85:B1:35:3A:30:42:A6:A5:76:E1:6E:F6:23:BA:A4:56:76
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 44 86 DE 73 7F 27 E1 67   8D 33 5E 5F D0 12 2B 1A  D..s.'.g.3^_..+.
0010: FA 17 46 69                                        ..Fi
]
]
*******************************************
*******************************************
Alias name: mykey
Creation date: 20 Oct, 2011
Entry type: trustedCertEntry

Owner: CN=John, OU=Smith, O=SmithCop, L=Mumbai, ST=MH, C=IN
Issuer: CN=John, OU=Smith, O=SmithCop, L=Mumbai, ST=MH, C=IN
Serial number: 4e9fb035
Valid from: Thu Oct 20 10:53:01 IST 2011 until: Wed Jan 18 10:53:01 IST 2012
Certificate fingerprints:
         MD5:  47:22:51:F0:72:9B:B2:3C:B9:B3:D7:26:66:29:FD:CD
         SHA1: 55:D5:7C:6C:20:A4:03:EA:8B:5C:FD:A8:C4:5F:C4:9F:86:15:1B:40
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 52 2F 76 3E 5F 42 C0 74   0A BA 90 EB BB 1F C5 61  R/v>_B.t.......a
0010: DE 72 46 DC                                        .rF.]]
*******************************************
*******************************************

6. Export the public key of the producer:-

C:\>keytool -exportcert -keystore producer.jks -storepass welcome1 -rfc -file B_cert
Certificate stored in file <B_cert>



Now we can use the above created keystore. Eg. Implementing one way SSL.. so on.


Thanks,
Rohan Lopes

Popular posts from this blog

JAVA embedding in Oracle SOA 12c

Image
In this post we will explore how to EMBED Java or call Java API from Oracle SOA BPEL process. In order to demonstrated this, I have created a simple JAVA project with 3 classes. 1.        Account.java -> This class represent Account DTO       2.       Party.java -> This class represent a party (customer) DTO       3.       GetNumber.java -> This class contains the method that takes Party DTO as input and apply some business logic and return party’s AccountDTO in response. public Account getNumber(Party party) The above classes are created to simulate the calling of actual business logic API’s. Account.java Party.java GetNumber.java public class Account {     public Account() {         super();     }     String account;     public void setAccount(String account) {         this.account = account;     }     public String getAccount() {         return account;     } } public class Party {     public Part
Read more

Passing/Receiving HTTP header in SOA BPEL

Image
In this example we will explore how to pass or receive the parameters from HTTP header. We will explore below two scenarios, To receive the HTTP header from SOAP request. To pass the HTTP header while calling soap service. SOA version used: 12.1.3c To receive the HTTP header from SOAP request: First we need to add the property “oracle.webservices.http.headers” under binding.ws in Service element in composite.xml. This property contains the comma separated parameters that we are expecting in request. Example,  ENV,VERSION. <binding.ws port="http://xmlns.oracle.com/SOA_Learning/HTTPHeader/HTTPHeaderTest#wsdl.endpoint(httpheadertest_client_ep/HTTPHeaderTest_pt)">          <property name="oracle.webservices.http.headers">ENV,VERSION</property> </binding.ws> Now in BPEL source under receive activity, we need add <fromProperties> element which will copy the parameters from HTTP header to BPEL variable.
Read more

Integrating Weblogic with IBM MQ over JMS

Image
We can integrate weblogic with IBM MQ over JMS by creating Foreign JMS server with Links in weblogic server. We need to create .binding file which will acts as file based JNDI provider to create JMS binding to MQ resources. Will first explain how to create .binding file and then will configure weblogic to use the same. Steps to create .binding file: Firstly we need to add below jar’s in CLASSPATH jms.jar com.ibm.mq.jar com.ibm.mqjms.jar jta.jar connector.jar jndi.jar providerutil.jar fscontext.jar Create JMSProperties.config file with below properties INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory PROVIDER_URL=file:/tmp/mqm/jndi SECURITY_AUTHENTICATION=none Run below command ./JMSAdmin -v JMSProperties . config InitCtx> def qcf(ForeignCF) TRANSPORT(CLIENT) HOST(localhost) PORT(1414) CHANNEL(MQCHANNEL) QMGR(MQMRG) def q(MQ1) qmgr(MQMRG) queue(MQ1) def q(MQR1) qmgr(MQMRG) queue(MQR1) display ctx
Read more