This document addresses only how to create a Java keystore which will contain an M.I.T. issued application certificate. This is NOT a tutorial on Java keystores.
PREREQUISITES
Before you begin, you must have the following:
1. How to create a Java keystore that contains an Application Certificate.
The M.I.T. issued Application Certificate must be converted from x509v3 format to a pkcs12 format. To do this, obtain the mitca.cer (this is the mit CA public key) by going to http://ca.mit.edu/mitca.crt and saving the certificate in the same directory where you have stored your rverrver certificate.
To convert the Application Certificate to a pkcs12 format, execute the following command line:
openssl pkcs12 -in <your certificate name>.cer -inkey <your certificate name>-privatekey.pem -export -out <your certificate name>.p12 -nodes -CAfile mitca.cer
When prompted for a password, use a password that is well known to you. Don't forget this password because you will need it when configuring an application to use this keystore.
The resulting p12 certificate will be named <your certificate name>.p12. This certificate must now be imported into a java keystore.
For example, suppose that your certificate file is foo.cer amd the private key for foo.cer is foo-privatekey.pem, the the command line would be:
openssl pkcs12 -in foo.cer -inkey foo-privatekey.pem -export -out foo.p12 -nodes -CAfile mitca.cer
and the resulting p12 certificate would be foo.p12.
To create a Java keystore that contains an application certificate, do the following:
For Java JDK 1.6 or later:
To create the java keystore, execute the following command line:
keytool -importkeystore -srckeystore <your certificate name>.p12 -destkeystore <the name of your Application Certificate jks>.jks -srcstoretype pkcs12 -deststoretype jks
When prompted for a password, use a password that is well known to you. Don't forget this password because you will need it when configuring an application to use this keystore.
For example: If your application certificate name is foo.app.mit.edu, the command line would be:
keytool -importkeystore -srckeystore foo.p12 -destkeystore foo.jks -srcstoretype pkcs12 -deststoretype jks
Change the alias of the certificate stored in the jks by executing the following command line:
keytool -changealias -keystore <the name of your Application Certificate jks>.jks -alias 1 -destalias <your certificate name>
For example: If your application certificate name is foo.app.mit.edu, the command line would be:
keytool -changealias -keystore foo.jks -alias 1 -destalias foo
For Java JDK 1.5 or earlier
To create a java keystore, obtain a copy of PKCS12Import.jar and place it in your working directory. Execute the following command line:
java -jar PKCS12Import.jar <your certificate name>.p12 <the name of your Applicaiton Certificate jks>.jks changeit.
The keystore password will be set to changeit.
For example: If your certificate name is foo.mit.edu, the command line would be:
java -jar PKCS12Import foo.p12 foo.jks changeit
NOTE: If you need the PKCS12Import.jar, you can download it now.
Finally, verify that the keystore was created successfully by executing the following command line:
keytool -list -keystore <the name of your Application Certificate jks>.jks
If everything is correct, something similar to the following line should be displayed.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
<your certificate name>.p12, Jan 8, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 66:C1:4E:0D:B1:59:FB:4C:99:E8:1A:49:7D:F6:EF:32
The <the name of your Application Certificate jks>.jks keystore can now be used by Tomcat as a Java keystore.
NOTE: the keystore that you have created must contain only 1 certificate.
1 Comment
Peter Wilkins
The link (http://ca.mit.edu/mitca.crt) in the section titled "How to create a Java Keystore... " for getting the CA public key doesn't navigate to the page if this key is already installed. This problem occurs in Firefox, but not in Chrome.