Create SSL Client Certificate with "keytool"

Q

How to create an SSL Client Certificate with JDK "keytool"? I want to run a SSL socket client program that requires client authentication.

✍: FYIcenter

A

"keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign client certificates that you can use as SSL client certificates. Here are the steps you can follow to create SSL client certificates for testing purpose:

1. Generate a self-signed certificate as the client certificate in a keystore file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -genkeypair -alias client -keystore client.jks

Enter keystore password: fyicenter
What is your first and last name?
  [Unknown]:  Frank Y. Ivy
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  FYIcenter
What is the name of your City or Locality?
  [Unknown]:  NA
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR correct?
  [no]:  yes

Enter key password for <client>
        (RETURN if same as keystore password): fyicenter
Re-enter new password: fyicenter

2. Export the client certificate as certificate file to be able to give it to server:

\fyicenter>\local\jdk-1.8.0\bin\keytool -exportcert -alias client -keystore client.jks 
   -file client.crt

Enter keystore password: fyicenter
Certificate stored in file <client.crt>

3. Verify the client certificate file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -printcert -file client.crt

Owner: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 12414e2f
Valid from: Sun Jun 25 11:29:50 until: Sat Sep 23 11:29:50
Certificate fingerprints:
         MD5:  C3:C7:4D:06:F5:62:91:3D:C3:25:93:2C:01:BE:EF:B5
         SHA1: FF:08:6F:E1:80:C2:72:8D:81:58:21:AF:31:C2:02:AA:CB:02:A8:5E
         SHA256: 1B:ED:2E:B5:88:0C:8E:B6:A3:29:04:9D:15:B6:B2:C6:5A:14:AF:38:0C:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...

The client certificate is ready. To use it, you need to provide client.jks to the SSL server program, and provide client.crt to the server program.

⇒ Client Certificate Authentication Example

⇐ What Is Client Certificate Authentication

⇑ Examples for jsse.jar - Java Secure Socket Extension

⇑⇑ FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 1721🔥, 0💬

SslServerCmd.java - SSL Server Command Example
How to create an SSL server program to run like a command? In order to create an SSL server program, you need to do the following: 1. Load the keystore file that contains the server certificate. Remember to specify the keystore password as shown below: KeyStore ks = KeyStore.getInstance("JKS"); ks.l... 2018-06-27, ∼2512🔥, 0💬

Key Manager Not Sending Client Certificate
Why the Key Manager is not sending the client certificate to the SSL server? I have provided a keystore file with the client certificate inside. JSSE documentation does not provide any details on how the Key Manager selects a certificate and sends it the SSL server. But rxg provided a good explanati... 2018-06-12, ∼1909🔥, 0💬

What Is Client Certificate Authentication
What Is Client Certificate Authentication? Client Certificate Authentication is an extra layer of security protection added to the normal SSL socket communication. In a normal SSL socket communication: The client is asking for the server to show server certificate. The client validates the server ce... 2018-06-27, ∼1901🔥, 0💬

Create SSL Client Certificate with "keytool"
How to create an SSL Client Certificate with JDK "keytool"? I want to run a SSL socket client program that requires client authentication. "keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign client certificates that you can u... 2018-06-12, ∼1722🔥, 0💬

Make SSL Server Certificate Trusted
How to make a SSL self-signed server certificate trusted? I want the ValidatorException going away. There are several options to make a self-signed server certificate trusted: Send your self-signed certificate to a trusted root CA, like GeoTrust, and ask them to sign it for you. Add your self-signed... 2018-06-27, ∼1685🔥, 0💬

Make Client Certificate Trusted by SSL Server
How to make a self-signed client certificate trusted by the SSL server? I want to help Key Manager to send out the client certificate and accepted by the SSL server. There are several options to make a self-signed certificate trusted by the SSL Server: Send your self-signed certificate to a trusted ... 2018-06-12, ∼1678🔥, 0💬

Create SSL Server Certificate with "keytool"
How to create an SSL Server Certificate with JDK "keytool"? I want to run a SSL socket server program. "keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign server certificates that you can use as SSL server certificates. Here ... 2018-06-27, ∼1621🔥, 0💬

Connect to SSL Server Failed with Invalid Certificate
Why am I getting the ValidatorException error when connecting to an SSL server? You are getting a ValidatorException error when connecting to an SSL server, because the server certificate can not be trusted for one of the following possible reasons: The root CA of the server certificate is unknown. ... 2018-06-27, ∼1601🔥, 0💬

Client Certificate Authentication Example
How to write a SSL client program that use a client certificate? The SSL is asking for client certificate authentication. When an SSL server program is asking for client certificate authentication, it is usually coded as the following: serverSocket.setNeedClientAuth (true);In the SSL client program,... 2018-06-12, ∼1580🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. FYIcenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.