Step by step tutorial to create Keystore and Truststore file
Introduction
Truststore and Keystore file will be used in the JSSE to provide secured transaction between the client and server. The keytool command is used to create the key store file which contains the public/private keys and then using keystore, Create a truststore file which contains only public keys. In this article, Let us learn how to create Truststore and Keystore file using 5 easy steps given below,
Generate a private key in keystore file
Verifiy the newly created keystore file
Export the certificate
Import the certificate in to the truststore file
Verifiy the newly created trust store file
Step 1 - Generate a private key in keystore file
Java Keytool stores the keys and certificates in the keystore file. If you are a “Windows” user, the Keytool command should be executed in the Java bin directory. In my case the directory is “C:\Program Files\Java\jdk1.6.0_12″ and the following command should be executed,
keytool -genkeypair -alias certificatekey -keyalg RSA -validity 7 -keystore keystore.jks
Once the preceding command is executed, you will be asked for the password, For this article, Let us give the password as “techbrainwave”. Once you give the password, you will be asking for the details as specified in the image below
Next we should verify the newly created key store file.
Step 2 – Verifiy the newly created keystore file
In Step2, Let us verify the newly created keystore.jks file using the following command,
keytool -list -v -keystore keystore.jks
After excuting the above command, you will get the details as specified in the image below,
Next we should export the certificate.
Step 3 – Export the certificate
In step3, Either a self signed certificate or a commercial certificate from “Verisign” or other certificate authority should be exported. For exporting verisign certificates, the article “Steps to configure Verisign certificate for Oracle Glassfish Server
www.techbrainwave.com/?p=505” would be helpful. In this article, Let us see how to export a self signed certificate.
SSL Certificates - thawte -- Choose from a complete range of certificates with the strongest SSL
www.thawte.com
Java Persistence Tools -- OpenJPA, Toplink, Hibernate Suppt No Lock-in, Eclipse-Based
www.myeclipseide.com
Beta Software Site -- Download Our Comprehensive Toolkit Tips, Templates, Samples And More.
www.280Group.com
—–BEGIN CERTIFICATE—–
MIICXjCCAccCBDwircEwDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
MRIwEAYDVQQHEwlQYWxvIEFsdG8xHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMsIEluYy4xFjAU
BgNVBAsTDUphdmEgU29mdHdhcmUxDTALBgNVBAMTBER1a2UwHhcNMDExMjIxMDMzNDI1WhcNMDEx
MjI4MDMzNDI1WjB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0
bzEfMB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEWMBQGA1UECxMNSmF2YSBTb2Z0d2Fy
ZTENMAsGA1UEAxMERHVrZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1loObJzNXsi5aSr8
N4XzDksD6GjTHFeqG9DUFXKEOQetfYXvA8F9uWtz8WInrqskLTNzwXgmNeWkoM7mrPpK6Rf5M3G1
NXtYzvxyi473Gh1h9k7tjJvqSVKO7E1oFkQYeUPYifxmjbSMVirWZgvo2UmA1c76oNK+NhoHJ4qj
eCUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCRPoQYw9rWWvfLPQuPXowvFmuebsTc28qI7iFWm6BJ
TT/qdmzti7B5MHOt9BeVEft3mMeBU0CS2guaBjDpGlf+zsK/UUi1w9C4mnwGDZzqY/NKKWtLxabZ
5M+4MAKLZ92ePPKGpobM2CPLfM8ap4IgAzCbBKd8+CMp8yFmifze9Q==
—–END CERTIFICATE—–
The preceding self signed certificate should be stored in a file named “selfsignedcert.cer” and then execute the following command,
keytool -export -alias certificatekey -keystore keystore.jks -rfc -file selfsignedcert.cer
After executing the above command, you will be asked for the password, Give the same password “techbrainwave” and you will get the details as specified in the image below,
Next we should import the certificate in to the truststore file.
Step 4 – Import the certificate in to the truststore file
In step4, Let us import the certificate by executing the below command,
keytool -import -alias certificatekey -file selfsignedcert.cer \
-keystore truststore.jks
After executing the preceding command, Give the same password “techbrainwave” and you will get the details as specified in the image below,
Next let us verify the newly created trust store file.
Step 5 – Verify the newly created trust store file
In step5, verify the newly created trust store file by executing the following command,
keytool -list -v -keystore truststore.jks
After executing the preceding command, you will get the details as specified in the image below,
Thats all folks. I hope this article clearly gives the Step by step tutorial to create simple Keystore and Truststore file. If you find this article is useful for you, dont forget to leave your valuable comments. Have a joyous code day.
----------------------------------- replay
24 Responses so far.
Apache Mina – SSL Configuration | Tech Brainwave says:
December 13, 2010 at 11:01 pm
[...] “Truststore” file. The Creation of these two files has been explained in the article “Step by step tutorial to create Keystore and Truststore file “. The factory classes used in the SSLContextGenerator class [...]
Well-loved. Like or Dislike: Thumb up 35 Thumb down 2
bojan says: April 18, 2011 at 9:10 pm
hello, can i use keystore and truststore created by this tuturial for mutual certificate security on glassfish web server? i tried setting web service and web service client using self-signed certificate,and i get Validation of self signed certificate failed error.
Well-loved. Like or Dislike: Thumb up 8 Thumb down 0
tactoth says: June 9, 2011 at 2:13 pm
I would see this is a very useful article, very intuitive and informative. It really helps me much on understanding certificates, private/public keys, etc.
Well-loved. Like or Dislike: Thumb up 5 Thumb down 1
tims says:
June 17, 2011 at 9:58 pm
It is not clear to me when the truststore file is created.
Thumb up 1 Thumb down 0
giftsam Reply: June 18th, 2011 at 6:57 pm
In step4, the truststore file is created. The truststore file contains only public keys.
Thumb up 3 Thumb down 0
Deepak Ku Patel says: June 28, 2011 at 5:00 pm
It’s very good & clearly mention the right steps.
Thanks
Thumb up 0 Thumb down 0
Rishu Aggarwal says: July 26, 2011 at 1:46 pm
Nice work techbrainwave !! very handful info..
Thumb up 0 Thumb down 0
Resources about PKI infrastructure + SSL/TLS, standards, tools(keytool,
openssl) | Tsetso's Stuff says: July 27, 2011 at 9:29 pm
[...] 6.1) Generating a KeyStore and TrustStore (Oracle documentation) –> (link) 6.2) JKS and JCEKS keystores –> (link) JCEKS keystore (Oracle documentation) –> (link) 6.3) Creating a key and trust store with JSSE in Java( client and server) –> (link) 6.4) keystore vs. truststore (victor-jan’s blog) –> (link) 6.5) Step by step tutorial to create Keystore and Truststore file (techbrainwave’s website) –> (link) [...]
Thumb up 0 Thumb down 0
Adam Mauger says: August 31, 2011 at 9:59 am
“The preceding self signed certificate should be stored in a file named “selfsignedcert.cer” and then execute the following command,
keytool -export -alias certificatekey -keystore
keystore.jks -rfc -file selfsignedcert.cer”
Er, selfsignedcert.cer is just overwritten….
Thumb up 0 Thumb down 0
[Reply]
sureshkumar Chinnaraj says: September 16, 2011 at 5:47 pm
This tutorial explains very well about signing jar files thanks a lot!!!
Thumb up 0 Thumb down 0
[Reply]
Narendra says: September 20, 2011 at 8:25 pm
Can I copy this file somewhere else and use it ?
Thumb up 0 Thumb down 0
[Reply]
giftsam Reply: September 21st, 2011 at 2:55 pm
Narendra, Which file you want to copy?
Thumb up 0 Thumb down 0
[Reply]
Ram says: September 22, 2011 at 7:30 pm
Really useful information on keystore and truststore with simple explaination
Thumb up 1 Thumb down 0
[Reply]
Ron says: October 24, 2011 at 11:33 am
Thanks for the great tutorial.. I want to use the certificate and truststore in my client server application.
How can I use it. I am using JSSE.
Just wondering how to use generated certificate and truststore in my application.
Thanks
Thumb up 0 Thumb down 1
[Reply]
Nurlan says: December 5, 2011 at 2:37 pm
I need a keytool command which imports an existing private key(.pem) into the keystore.jks.
I tried
“keytool -import -trustcacerts -file mypem.pem -alias CA_ALIAS -keystore keystore.jks”
but it gave me the following error
“keytool error: java.lang.Exception: Input not an X.509 certificate”
Can anybody help??
Thanks in advance.
Nurlan
Thumb up 1 Thumb down 0
[Reply]
Madhurima Reply: May 21st, 2012 at 6:39 pm
Hi All,
I am also facing the same issue ,please help me.
Thanks,
Madhurima
Thumb up 0 Thumb down 0
[Reply]
Jas says: December 8, 2011 at 2:37 pm
step by step explanation helped me a lot in understanding certificate generation and keystore generation. Great Tutorial
Thumb up 3 Thumb down 0
[Reply]
ammy says: December 16, 2011 at 7:52 am
wonderful!!! thanks for such a detail article.
Thumb up 0 Thumb down 0
[Reply]
Eknath says: January 31, 2012 at 10:04 pm
Nice Tutorial.. Helped me a lot. and saved time.
Thanks a Ton !!!!!!!!!!!!
Thumb up 0 Thumb down 0
[Reply]
Naidu says: February 1, 2012 at 4:17 pm
How to create the private key and public key for a self signed certificate ?
Thumb up 0 Thumb down 0
[Reply]
ahmet says: March 6, 2012 at 9:43 pm
thank you very much.. perfect tutorial..
Thumb up 2 Thumb down 0
[Reply]
ratish says: March 16, 2012 at 4:09 pm
awesome man
Thumb up 0 Thumb down 0
[Reply]
SSL Handshaking Using Self-Signed Certs and SSLEngine (JSSE) | PHP Developer Resource says: May 23, 2012 at 6:23 pm
[...] The keystore and truststore referenced in the code snippit above were created using the following tutorial: http://www.techbrainwave.com/?p=953 [...]
Thumb up 0 Thumb down 0
john cena says: July 9, 2012 at 11:46 am
after creating truststore.jks what is the next step?
Thumb up 0 Thumb down 0
[Reply]
http://www.techbrainwave.com/?p=953