1. Generate A Private Key Using Keytool Mac
  2. Public Private Key Encryption

Keytool is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. Export/import commands We'll use the keytool -export command to extract the public key into a file, and then use the keytool -import command to insert it into a new keystore. Here's the command to extract the client's public key: keytool -export -alias clientprivate -keystore client.private -file temp.key -storepass clientpw.

Securing your Java application with an SSL certificate can be extremely important. Fortunately, it is (usually) quite simple to do using Java Keytool. Most situations require that you buy a trusted certificate, but there are many cases when you can generate and use a self signed certificate for free.

When to Use a Keytool Self Signed Certificate

An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party. A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. However, self signed certificates have their place:

Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

  • An Intranet. When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • A Java development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to a server that uses a self signed certificate until it is permanently stored in their certificate store.

Generate a Self Signed Certificate using Java Keytool

Now that you know when to use a Keytool self signed certificate, let's create one using a simple Java Keytool command:

  1. Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. c:Program FilesJavajre6bin on Windows machines).
  2. Run the following command (where validity is the number of days before the certificate will expire):
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
  3. Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g. www.google.com)

This will create a keystore.jks file containing a private key and your sparklingly fresh self signed certificate. Now you just need to configure your Java application to use the .jks file. If you are using Tomcat, you can follow our Tomcat SSL Installation Instructions.

For more information on creating a Java Keytool Self Signed Certificate, see the following links:

Originally posted on Sat Oct 30, 2010

Generate A Private Key Using Keytool Mac

Save

Save

Save

Public Private Key Encryption

To Generate a Certificate by Using keytool

By default, the keytool utility creates a keystorefile in the directory where the utility is run.

Before You Begin

To run the keytool utility, your shell environmentmust be configured so that the J2SE /bin directory is inthe path, otherwise the full path to the utility must be present on the commandline.

  1. Change to the directory that contains the keystore and truststorefiles.

    Always generate the certificate in the directory containingthe keystore and truststore files. The default is domain-dir/config.

  2. Generate the certificate in the keystore file, keystore.jks,using the following command format:


    Use any unique name as your keyAlias. Ifyou have changed the keystore or private key password from the default (changeit), substitute the new password for changeit.The default key password alias is s1as.

    A prompt appears that asks for your name, organization, and other information.

  3. Export the generated certificate to the server.cer file(or client.cer if you prefer), using the following commandformat:


  4. If a certificate signed by a certificate authority is required,see To Sign a Certificate by Using keytool.

  5. Create the cacerts.jks truststore file andadd the certificate to the truststore, using the following command format:


    If you have changed the keystore or private key password from the default(changeit), substitute the new password.

    Information about the certificate is displayed and a prompt appearsasking if you want to trust the certificate.

  6. Type yes, then press Enter.

    Informationsimilar to the following is displayed:


  7. To apply your changes, restart GlassFish Server. See To Restart a Domain.

Example 11–10 Creating a Self-Signed Certificate in a JKS Keystore by Using an RSAKey Algorithm

RSA is public-key encryption technology developed by RSA Data Security,Inc.


Example 11–11 Creating a Self-Signed Certificate in a JKS Keystore by Using a DefaultKey Algorithm


Example 11–12 Displaying Available Certificates From a JKS Keystore


Private
Example 11–13 Displaying Certificate information From a JKS Keystore


See Also

For more information about keytool, see the keytool reference page.

Coments are closed
Scroll to top