Using keytool to create certificate chain

  sonic0002        2015-12-17 07:09:33       50,189        1          English  简体中文  Tiếng Việt 

JDK provides a command line tool -- keytool to handle key and certificate generation. This tool has a set of options which can be used to generate keys, create certificates, import keys, install certificate and export certificates etc. In this tutorial, we will show how to create certificate chain using keytool. If you want to understand how to create certificate chain programmably, please refer to Generate certificate in Java -- Certificate chain.

To begin, we first generate a key pair which will be used as the CA, ts private key will be used to sign the certificate it issues.

keytool -genkeypair -alias ca -keystore test.jks -dname "CN=CA" -storepass password -keypass password -ext bc=ca:true

Note here an extension with BasicaContraint created to show that it's a CA.

Then, generate a key pair where the certificate of it will be signed by the CA above.

keytool -genkeypair -alias leaf -keystore test.jks -dname "CN=Leaf" -storepass password -keypass password

Next, a certificate request for the "CN=Leaf" certificate needs to be created.

keytool -certreq -keystore test.jks -storepass password -alias leaf -file leaf.csr

Now creating the certificate with the certificate request generated above.

keytool -gencert -keystore test.jks -storepass password -alias ca -infile leaf.csr -outfile leaf.cer

An output certificate file leaf.cer will be created. Now let's see what its content is.

keytool -printcert -file leaf.cer

The certificate will look like:

Owner: CN=Leaf
Issuer: CN=CA
Serial number: 49fdb896
Valid from: Thu Dec 17 20:44:51 CST 2015 until: Wed Mar 16 20:44:51 CST 2016
Certificate fingerprints:
	 MD5:  EE:C8:78:72:69:C0:45:2C:DA:C6:E5:A9:6C:F9:A6:33
	 SHA1: DC:21:3A:7A:6B:BE:55:2A:24:0D:A0:F3:7B:FA:AD:B7:B3:E9:6B:88
	 SHA256: 78:11:E2:42:37:66:16:1D:02:02:03:1B:36:91:FC:C9:98:10:28:43:B6:0E:A2:63:34:93:9F:77:EA:D9:15:AB
	 Signature algorithm name: SHA1withDSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 24 67 26 EE 9F 42 BE BF   CE 9E 8B 4D 8E 1E BD AF  $g&..B.....M....
0010: 97 82 3D E4                                        ..=.
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 19 D0 58 48 6B 41 4B   0E 24 42 3A FF 60 38 69  #..XHkAK.$B:.`8i
0010: F1 63 11 12                                        .c..
]
]

From the certificate, we can see its issuer is "CN=CA".

This certificate can be imported to some other keystore or truststore so that it can be used to verify server identify in the future.

keytool -importcert -keystore test.jks -storepass password -file leaf.cer

Or it can be installed into the original keystore to become the leaf certificate of the certificate chain for alias leaf.

keytool -importcert -keystore test.jks -storepass password -file leaf.cer -alias leaf

After installing the certificate, you will find the entry with alias leaf will have a chain of two certificates.

Alias name: leaf
Creation date: Dec 17, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Leaf
Issuer: CN=CA
Serial number: 49fdb896
Valid from: Thu Dec 17 20:44:51 CST 2015 until: Wed Mar 16 20:44:51 CST 2016
Certificate fingerprints:
	 MD5:  EE:C8:78:72:69:C0:45:2C:DA:C6:E5:A9:6C:F9:A6:33
	 SHA1: DC:21:3A:7A:6B:BE:55:2A:24:0D:A0:F3:7B:FA:AD:B7:B3:E9:6B:88
	 SHA256: 78:11:E2:42:37:66:16:1D:02:02:03:1B:36:91:FC:C9:98:10:28:43:B6:0E:A2:63:34:93:9F:77:EA:D9:15:AB
	 Signature algorithm name: SHA1withDSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 24 67 26 EE 9F 42 BE BF   CE 9E 8B 4D 8E 1E BD AF  $g&..B.....M....
0010: 97 82 3D E4                                        ..=.
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 19 D0 58 48 6B 41 4B   0E 24 42 3A FF 60 38 69  #..XHkAK.$B:.`8i
0010: F1 63 11 12                                        .c..
]
]

Certificate[2]:
Owner: CN=CA
Issuer: CN=CA
Serial number: 768422fa
Valid from: Thu Dec 17 20:35:40 CST 2015 until: Wed Mar 16 20:35:40 CST 2016
Certificate fingerprints:
	 MD5:  19:FC:D0:AA:59:EA:52:DC:35:35:65:46:0A:AF:91:4F
	 SHA1: BA:17:1B:33:95:4E:1C:7B:68:B0:4C:EE:1C:D8:F4:6A:EE:25:8E:B0
	 SHA256: 99:5B:90:82:99:8D:79:FA:AA:E7:72:B1:C6:76:FE:2A:65:5F:B7:EF:C9:3C:A4:55:C6:27:E2:62:D3:01:99:79
	 Signature algorithm name: SHA1withDSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 24 67 26 EE 9F 42 BE BF   CE 9E 8B 4D 8E 1E BD AF  $g&..B.....M....
0010: 97 82 3D E4                                        ..=.
]
]

With this tutorial, you should be able to create any kind of certificate or certificate chain you want. Apparently, if you want to create something which can be used in production environment, you need to find a trusted CA such as VeriSign.

This is just a tutorial going through how a certificate chain is created. If you want to know about keystore, you can refer to Different types of keystore in Java -- Overview.

JAVA  CERTIFICATE  CERTIFICATE CHAIN  KEYTOOL 

       

  RELATED


  1 COMMENT


nkosev [Reply]@ 2017-05-16 12:53:25

For a whole day i was using open_ssl and then found this article - made what i needed in 1/10 of time and it is actually working for me.

Thanks!



  RANDOM FUN

How do you know your network speed is slow?

A good way to know that your network speed is slow is when you find that you YouTube video needs to be buffered.