Play with SSL certificates using Java-11 and openSSL [JKS - PEM - PFX - PKCS #12]

 

    Steps for making a Java Key Store[JKS] and adding certificates.   

In this process main this you need to remember that the alias name. Because in some application using alias name for binding with domain certificate.

a.      Command for normal domain certificate

keytool -genkeypair -keyalg RSA -keysize 2048 -alias mydomain -keystore mydomain.jks

b.      Command for wildcard domain certificate

      keytool -genkeypair -keyalg RSA -keysize 2048 -alias mydomain  -keystore mydomain.jks -ext "san=dns:test1.mydomain.com,dns:test2.mydomain.com,ip:192.168.1.1"

When executing above both command you will get some questions, in that, make sure you are giving your domain name like www.mydomain.com and in the case of wildcard *.mydomain.com as your first and last name.

c.      Generation of certificate request file with normal KeyStore

        keytool -certreq -keystore mydomain.jks -alias mydomain -file mydomain.csr

d.      Generation of certificate request file with wildcard KeyStore

        keytool -certreq -keystore mydomain.jks -alias mydomain -file mydomain.csr ext "san=dns:test1.mydomain.com,dns:test2.mydomain.com,ip:192.168.1.1"

 

Once you submit certificate request file to certificate providing third parties, they will send back more than one chain certificate along with domain certificate. In here I am showing with 2 chain and 2 root and domain certificate.

e.      Commands for adding all certificates. So you have to follow the steps as per saying in third parties procedure steps.

          keytool -importcert -alias root -keystore mydomain.jks -file root.crt

          keytool -importcert -alias inter2 -keystore mydomain.jks -file intermediate2.crt

          keytool -importcert -alias inter1 -keystore mydomain.jks -file intermediate1.crt

          keytool -importcert -alias mydomain -keystore mydomain.jks -file domain-certificate.crt

Once you finished all these steps then JKS file is ready to use in your application.

Change Java Key Store password

        keytool -storepasswd -keystore mydomain.jks 

            Enter keystore password:  old-password
            New keystore password:  new-password
            Re-enter new keystore password:  new-password

Converting PFX file to Java Key Store file [PKCS #12 to JKS]

      keytool.exe -importkeystore -srckeystore mydomain-pfx.pfx -srcstoretype pkcs12 -destkeystore mydomain-jks.jks -deststoretype JKS

Once you successfully extracted, you will get alias name and pls note this for future usage.

Convert Java Key Store file to PEM files [JKS to PEM] 

First you need to convert JKS files to P12 file for making PEM file. Then you need to convert P12 file to PEM file. Here I am making two PEM files containing certificate and private key respectively  

For this process using combination of keytool and openssl

keytool -importkeystore -srckeystore mydomain.jks -srcstoretype JKS -destkeystore mydomain.p12 -deststoretype PKCS12

openssl pkcs12 -in mydomain.p12 -clcerts -nokeys -out mydomain-cert.pem

umask 0077 // in linux platform only

openssl pkcs12 -in mydomain.p12 -nocerts -nodes -out mydomain-key.pem

umask 0022 // in linux platform only

Remove added certificate from Java Key Store[JKS] file

Sometimes we need to remove certificate, mainly chain certificate from JKS. Here mentioning the process for replacing intermediate and root certificate. First converting JKS file to PEM file then removing needed certificate from PEM with help of any editor. Then converting modified PEM into JKS file.

1. Change mydomain.jks file name to old_mydomain.jks for better handling

2. Run command for converting jks to p12 file, keytool -importkeystore -srckeystore  old_mydomain.jks  -destkeystore old.p12 -deststoretype pkcs12.

   In this process you will get one question like “ Do you want to quit the import process? [no]:  ” in that always give answer “no”

3. Run command using openssl, openssl pkcs12 -in old.p12 -out pemfile.pem -nodes in Linux

4. Open pemfile.pem with linux editor vi then delete all certificate which are not mentioned JKS alias name. Generally, from top two section of certificates are JKS alias related, so others can delete.

5. Run command using openssl, openssl pkcs12 -export -in pemfile.pem -name mydomain -out new.p12 , here mydomain is the alias name of keystore(jks).

6. Run command keytool -importkeystore -srckeystore new.p12 -destkeystore mydomain.jks -srcstoretype pkcs12

7. Run command for adding root certificate keytool -importcert -alias root -keystore mydomain.jks -file root.crt

8. Run command command for intermediate certificate keytool -importcert -alias inter1 -keystore mydomain.jks -file intermediate.crt