The keytool command that comes with Java 7 can be used to create a complete PKI setup. Note that it is best practice not to use the --storepass or --keypass command-line switches. If you do use them make sure to protect any scripts that use them especially those that involve the cceroot key. This setup generates 2048 bit RSA keys with 20 year CA expiration, 2 year server cert expiration. These can be changed by modifying the command line parameters to keytool.
Create root signing CA #
- Generate a root CA key. This certificate will be used to sign all other certificates. Only do this step once.
| keytool -genkeypair-keystore cceroot.jks -alias cceroot -dname "cn=cceroot,o=sag"-keyalg RSA -ext bc:c -storepass manage -keypass manage -validity 7300 |
- export the CA certificate to file for client/browser usage. For java clients, import this file into cacerts or a local truststore. For browsers, import as a CA cert and trust for server SSL
| keytool -exportcert -keystore cceroot.jks -storepass manage -alias cceroot -file cceroot.cer |
Create certificates for HTTPS #
Repeat this step for each server that needs to support connections via HTTPS
- Generate a keypair for the server. This cert will initially be self-signed.
keytool -genkeypair -keystore spmnode.jks -alias spmnode -dname "cn=spmnode,o=sag" -keyalg RSA -storepass manage -keypass manage -validity 720
Alternate method using wildcards:
keytool -genkeypair -keystore spmnode.jks -alias spmnode -dname "cn=*.acme.com,o=sag" -keyalg RSA -storepass manage -keypass manage -validity 720
- Create a certificate signing request (CSR). This file will be input into the CA signing process
| keytool -certreq -keystore spmnode.jks -alias spmnode -dname "cn=spmnode,o=sag"-storepass manage -keypass manage -file spmnode.p10 |
- Now sign the CSR. Change the DNS name to the actual fully qualified host name. You may also want to change the validity period longer, 720 = 2 years
keytool -gencert -alias cceroot -ext san=dns:spmnode.acme.com -keystore cceroot.jks -storepass manage -keypass manage -infile spmnode.p10 -outfile spmnode.cer -validity 720
- if using wildcards, don't specify a SAN extension:
keytool -gencert -alias cceroot -keystore cceroot.jks -storepass manage -keypass manage -infile spmnode.p10 -outfile spmnode.cer -validity 720
The next two steps update the server keystore with the CA-signed response. A better method is below but requires extra steps:
- import root CA into SPM server keystore.
| keytool -importcert-keystorespmnode.jks -aliascceroot -storepassmanage -keypassmanage -filecceroot.cer -noprompt |
- import the signed cert into the SPM server keystore
| keytool -importcert-keystorespmnode.jks -aliasspmnode -storepassmanage -keypassmanage -filespmnode.cer -noprompt |
- export the CA and cert in text format
keytool -exportcert -keystore spmnode.jks -alias spmnode -rfc -storepass manage
BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIEbTszNjANBgkqhkiG9w0BAQsFADAgMQwwCgYDVQQKEwNzYWcxEDAOBgNVBAMTB2
END CERTIFICATE-----
keytool -exportcert -keystore cceroot.jks -alias cceroot -rfc -storepass manage
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIE...
END CERTIFICATE-----
Copy these two files in order including the --BEGIN/–END blocks into a new file called certandroot.p7c. Server cert should be first in this file, followed by the root cert.
- Import the certificate into the server keystore:
| keytool -importcert -keystore spmnode.jks -alias spmnode -storepass manage -keypass manage -file certandroot.p7c |
| File | Purpose |
|---|---|
| cceroot.jks | CA root key |
| spmnode.jks | Server key for SPM HTTPS node |
| cceroot.cer | CA certificate suitable for import into truststore or browser CA list |