How to build Certificates for use with Java applications

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- All releases
Apache Tomcat

Issue

How do I request Certificates, or construct a public/private key pair for use with JBoss or Apache Tomcat?
I renewed a certificate and have the new certificate, intermediate certificate, private key and jboss keystore. How do I import the certificate into the jboss.keystore?
How to create Self-Signed Certificate to configure HTTPS connector on JBoss ?
How to install intermediate certificates in jboss and jvm?
Do you have any documentation on how to install intermediate certificates in jboss and jvm?
Setup certificate. How to setup self certificate and real certificate on JBoss EAP version 5.1.0 ?

Resolution

Content from docs.oracle.com is not included.keytool Command Line Documentation

Starting from Scratch

Creating certificates for use with JBoss and Apache Tomcat can be done in several ways. The simplest tool to use is the Java keytool command, but be aware it expects you to conform to Java's way of handling certificates and not all Certificate Authorities(CA) do this.
- openssl is another tool that is widely used. See Creating a Certificate Signing Request or How to use openssl to generate a self-signed x509 certificate for instructions on how to work with openssl.
Create the key pair (public and private key) that forms the basis of the certificate:
- This also creates a temporary self-signed certificate
- If you are renewing an existing certificate, you can skip this step and generate a Certificate Signing Request (CSR) with the eixsting private keypair
```
        keytool -genkeypair -alias ALIAS -keyalg RSA -keystore keystore.jks -keysize 2048
```
How to Create a Server Certificate Signing Request
- There are multiple ways to do this. See provided link for more examples.
```
        keytool -certreq -alias ALIAS -keystore keystore.jks -file CERT_SIGN_REQ.csr
```
This request is sent to a CA to be signed, they will return you a certificate (either as a file or as plain text).
- See setting how to Set up a CA to Sign Certificates if you want to act as your own CA.
The CA will send you its Root certificate as well as the Intermediary who directly signed your certificate. You will need to import them prior to importing your server certificate, using the command below.
- If you do not you will likely get an Error regarding your certificate chain.
```
     keytool -import -trustcacerts -alias root_ca -file ca_cert.crt -keystore keystore.jks
```
This certificate that you get back can then be added back to the keystore.jks to create a Public/Private Key Pair within the keystore. Make sure to use the same alias as the alias used to generate the CSR.
```
      keytool -importcert -file CERTIFICATE.crt -alias ALIAS -keystore keystore.jks
```

Starting with a Certificate and a Key

In some cases you may have been provided with a private key and a server certificate and need to convert to a format suitable for Java applications. In these cases you can use openssl to combine the private key with the certificate so that it can be imported. More information on this can be found in Using my CA Signed Certificate.
- Use the same password all for all password prompts. (use what you used when you generated the Private key, if you did not use one keep it the same from this point on). If not Java will not be able to decryption the Private key.
```
      openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "ALIAS" [-chain -CAfile cacerts.crt]
```
- If you have a CA signed certificate, use the option -chain and -CAfile to specify the CA certificates used for the signing chain.
Although in older versions of Java, JKS keystore format was preferred Java is transitioning to more standard PKCS#12 being the preferred keystore format. If you are using Java 8 you should be able to use the PKCS#12 directly without any difficulty by specifying the keystore type. In Java 8u60 or later, it will autodetect PKCS#12 keystores without any configuration differences.
If you do need a JKS keystore, you can convert the PKCS#12 keystore created above with:

        keytool -v -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Sometimes, the CA certificate that signed the server certificate is an internal company specific CA certificate or not a standard public CA and so you may need to import the CA Root certificate into a truststore (which may be $JAVA_HOME/jre/lib/security/cacerts). You can do that with a command similar to:

        keytool -import -trustcacerts -alias ALIAS -file cacert.crt -keystore truststore.jks

References

Instructions on how to build a Certificate Signing Request
Instructions on how to Set up a CA to Sign Certificates

Diagnostic Steps

For some situations working with at plain text files is easier than working with binary based certificates and certificate requests
- Determine if file is plain text can be done with the file command and you should see ASCII text as the file type.
- Convert to plain text certificate:

        openssl x509 -in server.crt -inform DER -out server_plain.crt -outform PEM

If you need to look at a PEM base certificate use the following to read the certificates contents.

        keytool -printcert -file signed_certificate.crt

How to check the contents of the keystore/truststore.

        keytool -list -keystore keystore.jks -v

If the contents of the keystore DOES NOT show you something like the following your certificate will not be severed out (under the denoted alias).

        jboss, Aug 31, 2012, PrivateKeyEntry

If the alias is wrong you can re-import it with the following set of commands:

        keytool -list -keystore keystore.jks
        keytool -changealias -keystore keystore.jks -alias jboss -destalias 1

Testing the SSL connection (with RHEL provided tools)
Testing the SSL connection (with a Java based client):
- In order to test an SSL connection you will need some client tool openssl and curl work in most situations but for a pure This content is not included.java example client you can use the provided script.
- Note: This can be use in coordination with the Java (-Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore) options.

    # java -jar java_https_client.jar https://www.google.com 1

SBR

Product(s)

Components

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.