Bootstrap FreeKB - Java - Create a truststore using the Java keytool command
Java - Create a truststore using the Java keytool command

Updated:   |  Java articles

The keytool command is included with Java, thus you will need to install Java to use the keytool command.

 


keystore vs. truststore

First and foremost, it's important to recongize the difference between a keystore and a truststore. Let's consider a scenario where a Tomcat application server is being used. There will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database.

 

Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".

 


Create a trust store

A truststore contains one or more trustedCertEntry but should not contain any PrivateKeyEntry, which is a key pair (a private key and one or more public certificates).

The only way that I know to accomplish this is to first create a key store, and to then remove the PrivateKeyEntry from the key store, and then import one or more public certificates into the key store, which effectively makes it a trust store, not a key store.

In this example, a keystore named keystore.p12is created, with a single PrivateKeyEntry with an alias of example.com.

keytool -genkey -alias example.com -keyalg RSA -keysize 2048 -storetype pkcs12 -keystore keystore.p12

 

Once the keystore has been created, the keytool command the -list option can be used to list the contents of the keystore, which should show that example.com is a PrivateKeyEntry.

~]# keytool -storetype pkcs12 -keystore keystore.p12 -list
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

example.com, Jul 9, 2021, privateKeyEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE

 

The keytool command with the -delete option can be used to remove the PrivateKeyEntry from the keystore.

keytool -storetype pkcs12 -keystore keystore.p12 -delete -alias example.com

 

Now the keystore should contain 0 entries.

~]# keytool -storetype pkcs12 -keystore keystore.p12 -list
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

 

Rename the file from keystore.p12 to truststore.p12, to identify it as a trust store, not a keystore.

mv keystore.p12 truststore.p12

 

The keytool command with the -import option can be used to import a trustedCertEntry into the trust store.

keytool -storetype pkcs12 -keystore truststore.p12 -import -file example.com.crt -alias example.com

 

Now the keystore should contain 1 trustedCertEntry.

~]# keytool -storetype pkcs12 -keystore truststore.p12 -list
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

example.com, Mar 4, 2022, trustedCertEntry, 
Certificate fingerprint (SHA-256): 05:98:F9:16:67:2B:E8:9D:83:C8:C8:B3:3C:90:C8:C0:74:64:9C:2A:A1:18:3B:95:A4:E7:17:F8:99:C0:57:94



Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter eb87fe in the box below so that we can be sure you are a human.