Setting up keystores for a Client and a
Service
Step 1:Creating Certicate Authority Keys
$ openssl req -x509 -newkey rsa:1024 -keyout
cakey.pem -out cacert.pem -cong openssl.cnf
Step 2:Client and Service Keys
$ keytool -genkey -alias client -keyalg RSA -keystore client.jks
%%% $ keytool -genkey -alias service -keyalg RSA -keystore service.jks
Step 3:Producing Signed X509 Certicates
We can create signed X509 (version 3) certicates using openssl using certicate requests.
First we have to create the certicate requests using the generated keys for the client and
the service.
$ keytool -certreq -keystore client.jks -storepass changeme -alias client -le
client.cert.req
$ keytool -certreq -keystore service.jks -storepass changeme -alias service -le
service.cert.req
The above command will create the client.cert.req and service.cert.req les which we will
use in the next step to produce X509 certicates signed by the private key of the CA using
'openssl ca' command.
$ openssl ca -cong openssl.cnf -out client.pem -inles client.cert.req
$ openssl ca -cong openssl.cnf -out service.pem -inles service.cert.req
It should be noted that the CA's conguration (openssl.cnf) le is congured to point to the
cakey.pem le as the private key to use. The output produced in the client.pem and
service.pem les are plain text. To import these signed certicates into the keystores we
will have to convert them into the binary (DER) format using 'openssl x509' command.
$ openssl x509 -outform DER -in client.pem -out client.cert
$ openssl x509 -outform DER -in service.pem -out service.cert
评论7