Thursday, March 27, 2008

Keystore management - Part I

A keystore is a special file type that can hold your keys and certificates and encrypt them all with a password. In other words, a keystore is just like a hashtable which has an alias that identifies a certificate and then the certificate itself.

Make sure you have installed Java and set your PATH env variable to C:\Program Files\Java\jdk1.5.0_06\bin [i.e : JAVA_HOME\bin]

This post covers all what you need to create a keystore. Let's move step by step.

1. Create a private key

This is the first thing you need to do.

keytool -genkey -alias mycert -keyalg RSA -keysize 1024 -dname "CN=localhost,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass mypkpassword -keystore mykeystore.jks -storepass mystorepassword

CN --> Common Name
OU --> Organizational Unit
O --> Oranization
L --> Locality
S --> State
C --> Country

This generates a private key and stores it in the given keystore [mykeystore.jks]. In case you didn't have a keystore then the above will create a new keystore for you with a private key.

Also note the two parameters -keypass and -keystore. -keypass is the password used for your private key and -storepass is the password used for keystore.

Once you executed the above command a new file with the name mykeystore.jks will be created at your current location - that is your keystore.

2. View what is in your keystore

In step 1, we created a keystore and added our private key to the keystore. Let's see what it actually has.

keytool -list -v -keystore mykeystore.jks -storepass mystorepassword

You'll get something like this as the output.

==================================================================================
Your keystore contains 1 entry

Alias name: mycert
Creation date: Mar 27, 2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Issuer: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Serial number: 47eb5684
Valid from: Thu Mar 27 14:10:44 LKT 2008 until: Wed Jun 25 14:10:44 LKT 2008
Certificate fingerprints:
MD5: 4E:32:22:91:F5:64:FF:4D:C5:A9:F4:29:C5:5C:11:AB
SHA1: E0:E1:33:D3:1E:62:30:5B:29:E7:76:A0:B6:45:AF:D4:7E:39:8D:23
===================================================================================

3. Create Certificate Signing Request (CSR)

Now we need to sign our certificate by a Certificate Authority(CA). To do that we need to create a CSR.

keytool -certreq -v -alias mycert -file csr-for-mycert.pem -keypass mypkpassword -storepass mystorepassword -keystore mykeystore.jks

This will output the csr-for-mycert.pem to your current location - and this is the CSR which you need to provide for the CA for signing.

4. Get signed by a CA

You can get this done by VeriSign Trial CA - which signs your certificate, which is valid only for 14 days.

Follow the wizard there and when asked to provide the CSR, open the file csr-for-mycert.pem in a notepad, copy the text and paste it on the appropriate location on the wizard page.

==================================================================================
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmTCCAQICAQAwWTELMAkGA1UEBhMCTEsxCzAJBgNVBAgTAldTMQswCQYDVQQHEwJTTDENMAsG
A1UEChMESG9tZTENMAsGA1UECxMESG9tZTESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCmLlMusTGJ65RKKCRfR2RfLqtQb/o9G03n5Q32hFwi0pP5cherYxyQ
TYA4NK0CcaE3cJ4UC8GsjcNTFV4AfrOtGiC185CyY6FjHkjyrkYCi7FmAQIHoDfaUCCG1gx/jnv+
jWfopsgVU954mxoykP4zS/xdxb4u0fOZ27tn6xEZ+QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
VHQ63R83Q1ylODuXGrPHrlOM7EhzZLJTPLKsa3JOmFp5y+WILqujPYfqH7J8Rc2pH6M1+EFlVHE6
tP1vksj+rXssksXVjyUyHTsHsnz4FqtVxA0oXKEa3zBrB+qxHLLuwYycTWHXyZ4YPZtrv8oGaFYX
GdWiMlITQ9qM+OW7ulc=
-----END NEW CERTIFICATE REQUEST-----
==================================================================================

5. Importing CA root certificate.

Once you completed the wizard in step, within few minutes you'll receive an email from VeriSign with the signed certificate.

Before adding it to the keystore, in this case, we need to add CA root certificate to the keystore.

You can get the VeriSign's root certificate from here.

Copy all the text from there to a new file and name it as verisign-demo-root-cert.pem.

Now, let's add it to our keystore.

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file verisign-demo-root-cert.pem -keystore mykeystore.jks -storepass mystorepassword

6. Importing Intermediate CA Certificate.

You can get the VeriSign's intermediate CA certificate from here.

As in the case of step 5, copy the text from there to a new file and name it as verisign-demo-root-im-cert.pem.

Let's add it to our keystore, as well.

keytool -import -v -noprompt -trustcacerts -alias verisigndemoimcert -file verisign-demo-root-im-cert.pem -keystore mykeystore.jks -storepass mystorepassword

7. Import signed certificate

All set now, lets import our signed certificate to the keystore.

You can find the certificate at the bottom of the email you received from VeriSign.

==================================================================================
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIQTSaSOpAlOT2tSzOUz5y/GDANBgkqhkiG9w0BAQUFADCB
yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
cnZlciBUZXN0IENBMB4XDTA4MDMyNzAwMDAwMFoXDTA4MDQxMDIzNTk1OVowgZUx
CzAJBgNVBAYTAkxLMQswCQYDVQQIEwJXUzELMAkGA1UEBxQCU0wxDTALBgNVBAoU
BEhvbWUxDTALBgNVBAsUBEhvbWUxOjA4BgNVBAsUMVRlcm1zIG9mIHVzZSBhdCB3
d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EgKGMpMDUxEjAQBgNVBAMUCWxvY2Fs
aG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApi5TLrExieuUSigkX0dk
Xy6rUG/6PRtN5+UN9oRcItKT+XIXq2MckE2AODStAnGhN3CeFAvBrI3DUxVeAH6z
rRogtfOQsmOhYx5I8q5GAouxZgECB6A32lAghtYMf457/o1n6KbIFVPeeJsaMpD+
M0v8XcW+LtHzmdu7Z+sRGfkCAwEAAaOCAdcwggHTMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl
cmlzaWduLmNvbS9TVlJUcmlhbDIwMDUuY3JsMEoGA1UdIARDMEEwPwYKYIZIAYb4
RQEHFTAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
FoAUZiKOgeAxWd0qf6tGxTYCBnAnh1oweAYIKwYBBQUHAQEEbDBqMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQgYIKwYBBQUHMAKGNmh0dHA6
Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJUcmlhbDIwMDUtYWlhLmNl
cjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsO
AwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2ln
bi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAGWxtj0eI4Grpv+e
hgPYBWhDnOGRFXIqfDGbpXTZv3a3HfCnBShCbzhg8hbKbts52Mmj/Lr3NufeQXBN
/9fMIrIltWSAWgKXiSgU5ArsB3L8bAJT0BdMkzFUxlCkv6PDMMbpAVkaJydJoUnK
f47A+uw5BsvlxCx32kYRSQa1r1I2MakODXUXoxTfvfInZn2joGx35u+r2tHP6pCt
iIjFv8yXp8gxlDayZMe2jbCBDltgDQ2C3hE+Tc/sh59ce0q+EqAfnDxV4+AaXQLO
b+npcHuGMa6NBc2fGPgueQYujbA813jzrlLr2mz7iJcyUImoz14TNLXpouWDDv4n
+3V2hzE=
-----END CERTIFICATE-----
==================================================================================

Copy the text from there to a new file and name it as mysignedcert.pem

Now, lets add the signed certificate to our keystore.

keytool -import -v -alias mycert -file mysignedcert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword

All done - now you have a keystore with your own certificate signed by a CA.

2 comments:

Anonymous said...

This is exactly what I've been looking for. Thanks!

nisha said...

thanks very much...this was perfect! ;-)