This document addresses only how to create a Java keystore which will contain an M.I.T. issued application certificate. This is NOT a tutorial on Java keystores.

PREREQUISITES

    Before you begin, you must have the following:

${renderedContent}

1. How to create a Java keystore that contains an Application Certificate.

The M.I.T. issued Application Certificate must be converted from x509v3 format to a pkcs12 format.  To do this, obtain the mitca.cer (this is the mit CA public key) by going to http://ca.mit.edu/mitca.crt and saving the certificate in the same directory where you have stored your rverrver certificate.

To convert the Application Certificate to a pkcs12 format, execute the following command line:

    openssl pkcs12 -in <your certificate name>.cer -inkey <your certificate name>-privatekey.pem -export -out <your certificate name>.p12 -nodes -CAfile mitca.cer

When prompted for a password, use a password that is well known to you.  Don't forget this password because you will need it when configuring an application to use this keystore.

The resulting p12 certificate will be named <your certificate name>.p12.  This certificate must now be imported into a java keystore.

For example, suppose that your certificate file is foo.cer amd the private key for foo.cer is foo-privatekey.pem, the the command line would be:

    openssl pkcs12 -in foo.cer -inkey foo-privatekey.pem -export -out foo.p12 -nodes -CAfile mitca.cer

and the resulting p12 certificate would be foo.p12.

    To create a Java keystore that contains an application certificate, do the following:

    For Java JDK 1.6 or later:

To create the java keystore, execute the following command line:

    keytool -importkeystore -srckeystore <your certificate name>.p12 -destkeystore <the name of your Application Certificate jks>.jks -srcstoretype pkcs12 -deststoretype jks

When prompted for a password, use a password that is well known to you.  Don't forget this password because you will need it when configuring an application to use this keystore.

For example: If your application certificate name is foo.app.mit.edu, the command line would be:

    keytool -importkeystore -srckeystore foo.p12 -destkeystore foo.jks -srcstoretype pkcs12 -deststoretype jks

Change the alias of the certificate stored in the jks by executing the following command line:

    keytool -changealias -keystore <the name of your Application Certificate jks>.jks -alias 1 -destalias <your certificate name>

For example: If your application certificate name is foo.app.mit.edu, the command line would be:

    keytool -changealias -keystore foo.jks -alias 1 -destalias foo

    For Java JDK 1.5 or earlier

To create a java keystore, obtain a copy of PKCS12Import.jar and place it in your working directory.  Execute the following command line:

    java -jar PKCS12Import.jar <your certificate name>.p12 <the name of your Applicaiton Certificate jks>.jks changeit.

The keystore password will be set to changeit.

For example: If your certificate name is foo.mit.edu, the command line would be:

    java -jar PKCS12Import foo.p12 foo.jks changeit

NOTE: If you need the PKCS12Import.jar, you can download it now.

    Finally, verify that the keystore was created successfully by executing the following command line:

    keytool -list -keystore <the name of your Application Certificate jks>.jks

If everything is correct, something similar to the following line should be displayed.

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    <your certificate name>.p12, Jan 8, 2007, PrivateKeyEntry,
    Certificate fingerprint (MD5): 66:C1:4E:0D:B1:59:FB:4C:99:E8:1A:49:7D:F6:EF:32

The <the name of your Application Certificate jks>.jks keystore can now be used by Tomcat as a Java keystore.

NOTE: the keystore that you have created must contain only 1 certificate.

  • No labels

1 Comment

  1. The link (http://ca.mit.edu/mitca.crt) in the section titled "How to create a Java Keystore... " for getting the CA public key doesn't navigate to the page if this key is already installed.  This problem occurs in Firefox, but not in Chrome.