About this task
You are going to use a keytool (provided with the JDK) to manipulate the keys and certificates.
Procedure
-
Create two key pairs:
-
one for the server side (use for SSL),
-
one as an example of the client side (use for "trust", should be performed for each client, on the client side).
mkdir -p etc/keystores cd etc/keystores keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks
These key are self-signed. In a production system, you should use a Certificate Authority (CA). -
-
Export the client certificate to be imported in the server
keystore:
keytool -export -rfc -keystore client.jks -storepass password -alias clientkey -file client.cer keytool -import -trustcacerts -keystore keystore.jks -storepass password -alias clientkey -file client.cer
-
Check that the client certificate is trusted in our keystore:
keytool -list -v -keystore keystore.jks ... Alias name: clientkey Creation date: Dec 12, 2012 Entry type: trustedCertEntry ...
- You can now remove the client.cer certificate.