A certificate store or keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities.
The keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA).
How to create a keystore?
We will be using the JDK 'keytool', which is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (user authenticates himself/herself to the service).
To generate the keystore, open a command line and enter the following to generate a key pair and certificate directly into it:
This command will prompt for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.
Certificate information, for example:
A keystore file is generated with the content encrypted.
Get the Certificate
In order for SSL to work you need to install the certificate in the machine; to get the certificate there are 2 options, extracting the certificate from the keystore (the easiest and the one we recommend) or generate a self-signed certificate and imported into the keystore
The certificate needs to be installed in the server machine, otherwise the SSL will not work. the installation of the certificate varies between operating systems
This certificate is enough to run SSL. However, this certificate we generated will not be trusted by the browser unless we request a well known Certificate Authority (CA) to sign our key/certificate. Among them are: AddTrust, Entrust, GeoTrust, RSA Data Security, Thawte, ,VISA, ValiCert, Verisign and beTRUSTed.
Extracting the Certificate from the Keystore
Using the command below, you can list the certificates inside the keystore, identify the one to be extracted via the Alias
Once you identified the alias of the certificate to extract you can use the following command
Generating Self-Signed Certificates
This solution requires for OpenSSL to be installed in the machine
There is a utility script generate-ssl-certs, available for Windows (generate-ssl-certs.bat) and Linux (generate-ssl-certs.sh), that generates the self-signed CA, server, and client certificate. Also regardless of the file picked you need to also download the openssl config (openssl.cnf) in the same folder as the script file
The command receives the client certificate name, the certificate password and a destination folder (if destination is not add it, then current folder is the destination).
generate-ssl-certs.bat must be run from the bin directory. If you run from another directory, it appears to work but will not write all the certificate files (in fact it write the key files only)
Importing the Certificate into the Keystore
You can generate a keystore for the client certificate and a truststore for the CA certificate.
Make sure the keystore file is not placed in "/config/certs" folder of your distribution. Only X509 certificates should be placed in this location.