Java keytool can be used for https connections, to allow access only to authorized clients. Any tool or java code can use an installed certificate to connect to the server.
❓ How Java keytool works
The keytool command to generate a key pair containing a public and private key.alias: The alias for the keystore. This value is arbitrary, but the alias jboss is the default used by the JBoss Web server.keyalg: The key pair generation algorithm. In this case it is RSA.keystore: The name and location of the keystore file.
Maybe you want to make your server publicly accessible, but restricted to particular team or organization.
Or you build an infrastructure of your enterprise and want it to be secure. In such situation you will need a method to control, who can use particular service. Such resource should be protected from unauthorized usage, channel between server and authorized client must be secure.
Java keytool allows to certify given java client for work with particular server over https. That is an established and easy to use java standard.
To be certified to use particular service, client should do the following:
✔ get the certificate which server expects(.crt file). Probably admin can provide you with it;
✔ add it to your keyring using:
✔ check with the manual of the client tool you use for details of configuration, if there is any.
Adding certificate to the keystore
Given:
⭐ my.cert.location/my.cert.crt – certificate to be installed
⭐ “changeit” – default keystore path (if you didn’t set it, its java default)
⭐ default java keystore location – $JAVA_HOME/jre/lib/security/cacerts
![]()
Following will add the certificate to the default java keyring:
? Answer ‘yes’ when prompted.
Listing certificates in the keystore
This will list the certificates in the keystore:
Output is something like: Important part is the alias which certificate has. You can import and export certificates using alias. ? In the keytore, unique identification or name of the certificate is called alias
To determine if the certificate with alias mykey1is there, use:
? It will list all what keyring has about the certificate.
Following problem might occur if server doesn’t find the certificate it expects:
Given one client which works and one which cannot connect to the server, you can do the following to fix the problem:
⭐ Compare MD5 Sums of same certificate from both servers
⭐ Check that the same certificates are installed (nothing missing)
⭐ Import missing certificates from the working server
⭐ Print the certificate content to learn more about it
![]()
Exporting the certificate from the keystore
The my.cert.1.crt can be then re-imported into another keyring.
Learning more about the certificate
? REMARK: we use the same certificate we have exported in the chapter above.
To learn about the owner, organization, etc. who has issued the certificate, following command can be used
Removing the certificate from the keystore
Non-interactive mode (suppress keytool questions)
Generate Keystore
That is useful in bash scripts. Use the -noprompt option:
Generate Key From Crt Keytool List
That’s it, have fun :)
This procedure uses the Java keytool utility to generate a key and save it to a Java keystore.
NOTE:
Generate Key From Crt Keytool File
To generate a new public/private key pair in a Java keystore
An alternate option to responding to prompts is to specify the DN value on the command line using the -dname option. For example:
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |