Create SSL Client Certificate with "keytool"

Q

How to create an SSL Client Certificate with JDK "keytool"? I want to run a SSL socket client program that requires client authentication.

✍: FYIcenter

A

"keytool" from the JDK package is a nice tool to create public and private key pairs. It also allows you that create self-sign client certificates that you can use as SSL client certificates. Here are the steps you can follow to create SSL client certificates for testing purpose:

1. Generate a self-signed certificate as the client certificate in a keystore file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -genkeypair -alias client -keystore client.jks

Enter keystore password: fyicenter
What is your first and last name?
  [Unknown]:  Frank Y. Ivy
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  FYIcenter
What is the name of your City or Locality?
  [Unknown]:  NA
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR correct?
  [no]:  yes

Enter key password for <client>
        (RETURN if same as keystore password): fyicenter
Re-enter new password: fyicenter

2. Export the client certificate as certificate file to be able to give it to server:

\fyicenter>\local\jdk-1.8.0\bin\keytool -exportcert -alias client -keystore client.jks 
   -file client.crt

Enter keystore password: fyicenter
Certificate stored in file <client.crt>

3. Verify the client certificate file:

\fyicenter>\local\jdk-1.8.0\bin\keytool -printcert -file client.crt

Owner: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 12414e2f
Valid from: Sun Jun 25 11:29:50 until: Sat Sep 23 11:29:50
Certificate fingerprints:
         MD5:  C3:C7:4D:06:F5:62:91:3D:C3:25:93:2C:01:BE:EF:B5
         SHA1: FF:08:6F:E1:80:C2:72:8D:81:58:21:AF:31:C2:02:AA:CB:02:A8:5E
         SHA256: 1B:ED:2E:B5:88:0C:8E:B6:A3:29:04:9D:15:B6:B2:C6:5A:14:AF:38:0C:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...

The client certificate is ready. To use it, you need to provide client.jks to the SSL server program, and provide client.crt to the server program.

 

Examples for jsse.jar - Java Secure Socket Extension

⇒⇒FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 326👍, 0💬