Create SSL Server Certificate with "keytool"

Q

How to create an SSL Server Certificate with JDK "keytool"? I want to run a SSL socket server program.

✍: FYIcenter

A

"keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign server certificates that you can use as SSL server certificates. Here are the steps you can follow to create SSL server certificates for testing purpose:

1. Generate a self-signed certificate as the server certificate in a new keystore file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -genkeypair -alias server -keystore server.jks
Enter keystore password: fyicenter
Re-enter new password: fyicenter
What is your first and last name?
  [Unknown]:  fyicenter.com
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  FYIcenter
What is the name of your City or Locality?
  [Unknown]:  NA
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=fyicenter.com, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR correct?
  [no]:  yes

Enter key password for <server>
        (RETURN if same as keystore password): fyicenter
Re-enter new password: fyicenter

2. Export the server certificate as certificate file to be able to give it to clients:

\fyicenter>\local\jdk-1.8.0\bin\keytool -exportcert -alias server -keystore server.jks 
   -file server.crt

Enter keystore password: fyicenter
Certificate stored in file <server.crt>

3. Verify the server certificate file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -printcert -file server.crt
Owner: CN=fyicenter.com, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=fyicenter.com, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 5ae4a887
Valid from: Sun Jun 25 08:00:08 until: Sat Sep 23 08:00:08
Certificate fingerprints:
         MD5:  A1:F0:B5:DA:FC:3F:F8:19:F4:B7:45:21:7A:B4:DE:36
         SHA1: 7A:5C:4E:6D:9A:46:4E:89:59:C6:85:B6:1C:02:70:E9:FC:88:0C:66
         SHA256: 90:81:76:8B:76:A9:51:36:84:24:35:62:D8:53:E1:CB:AD:0B:10:12:A3:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...

The server certificate is ready. To use it, you need to provide server.jks to the SSL server program, and provide server.crt to the client program.

 

SslServerCmd.java - SSL Server Command Example

SslClientCmd.java - SSL Client Command Example

Examples for jsse.jar - Java Secure Socket Extension

⇑⇑ FAQ for jsse.jar - Java Secure Socket Extension

2018-06-27, 1468🔥, 0💬