Create SSL Client Certificate with "keytool"

Q

How to create an SSL Client Certificate with JDK "keytool"? I want to run a SSL socket client program that requires client authentication.

✍: FYIcenter

A

"keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign client certificates that you can use as SSL client certificates. Here are the steps you can follow to create SSL client certificates for testing purpose:

1. Generate a self-signed certificate as the client certificate in a keystore file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -genkeypair -alias client -keystore client.jks

Enter keystore password: fyicenter
What is your first and last name?
  [Unknown]:  Frank Y. Ivy
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  FYIcenter
What is the name of your City or Locality?
  [Unknown]:  NA
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR correct?
  [no]:  yes

Enter key password for <client>
        (RETURN if same as keystore password): fyicenter
Re-enter new password: fyicenter

2. Export the client certificate as certificate file to be able to give it to server:

\fyicenter>\local\jdk-1.8.0\bin\keytool -exportcert -alias client -keystore client.jks 
   -file client.crt

Enter keystore password: fyicenter
Certificate stored in file <client.crt>

3. Verify the client certificate file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -printcert -file client.crt

Owner: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 12414e2f
Valid from: Sun Jun 25 11:29:50 until: Sat Sep 23 11:29:50
Certificate fingerprints:
         MD5:  C3:C7:4D:06:F5:62:91:3D:C3:25:93:2C:01:BE:EF:B5
         SHA1: FF:08:6F:E1:80:C2:72:8D:81:58:21:AF:31:C2:02:AA:CB:02:A8:5E
         SHA256: 1B:ED:2E:B5:88:0C:8E:B6:A3:29:04:9D:15:B6:B2:C6:5A:14:AF:38:0C:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...

The client certificate is ready. To use it, you need to provide client.jks to the SSL server program, and provide client.crt to the server program.

 

Client Certificate Authentication Example

What Is Client Certificate Authentication

Examples for jsse.jar - Java Secure Socket Extension

⇑⇑ FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 1162👍, 0💬