First let’s have a short look at what those certificates are and what you need them for. A certificate is basically a public key together with some additional identification information (e.g. country, location, company…). The certificate is signed by a Certificate Authority (CA) which guarantees that the information attached to the certificate are true. The .cer files are files containing a certificate.
Additionally to the certificate, you also need a private key. The receiver of the certificate will use the public key in the certificate to decipher the encrypted text sent you are sending. You will encrypt the text using the corresponding private key. The public key in the certificate is publicly available. But you are the only one having access to the private key (that’s why the keystore containing your private key is protected by a password). This allows everybody to check whether sent information really comes from you.
While developing your software you will most probably be working with self-generated certificates. These certificates do not allow the client application to check whether you are really who you say are but they allow you to test most certificate related functionality. You can generate such a certificate like this:
$JAVA_HOME/bin/keytool -genkey -alias ws_client -keyalg RSA -keysize 2048 -keypass YOUR_KEY_PASSWORD \
-keystore PATH_TO_KEYSTORE/ws_client.keystore \
-storepass YOUR_KEYSTORE_PASSWORD -dname "cn=YOUR_FQDN_OR_IP, ou=YOUR_ORG_UNIT, o=YOUR_COMPANY, c=DE" \
-validity 3650 -J-Xmx256m
Note that the backslashes you see in there are only required so that this command is recognized as a multiline command. If you write it all on one line, you won’t need them.
The certificate generated above is valid for almost 10 years (3650 days).
The -J parameter is just in there so that you do not get such an error invoking keytool:
Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.
Now, when you go into production, you’ll want to have a “real” certificate so that your users do not get more or less scary messages saying that your identity cannot be verified (i.e. has not been created by a trusted certificate authority). You’ll have to buy such a certificate or have your customer generate one if they can.
This is how you can display the certificates currently installed in your keystore:
$JAVA_HOME/bin/keytool -list \
-keystore PATH_TO_KEYSTORE/ws_client.keystore \
-storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m
It will return something like:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
ws_client, Apr 9, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 4A:B5:07:64:A3:FF:16:E4:B9:28:A3:D9:BE:9D:7D:E6
You can export this certificate like this:
$JAVA_HOME/bin/keytool -exportcert -rfc -alias ws_client -file CER_FILE_PATH \
-keystore PATH_TO_KEYSTORE/ws_client.keystore \
-storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m
The rfc option means that the certificate will not be exported in binary form but as shown below.
The exported file looks like this:
-----BEGIN CERTIFICATE-----
MIICJzCCAZCgAwIBAgIEU0VlpTANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJERTETMBEGA1UE
ChMKU0lFTUVOUyBBRzEaMBgGA1UECxMRTWVkaWNhbCBTb2x1dGlvbnMxGDAWBgNVBAMTDzE5Mi4x
NjguMTkwLjIwMDAeFw0xNDA0MDkxNTIyMTNaFw0yNDA0MDYxNTIyMTNaMFgxCzAJBgNVBAYTAkRF
MRMwEQYDVQQKEwpTSUVNRU5TIEFHMRowGAYDVQQLExFNZWRpY2FsIFNvbHV0aW9uczEYMBYGA1UE
AxMPMTkyLjE2OC4xOTAuMjAwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRt0f7K7LRjHQI
WN2XWoTAu48ldycigmEyjZ9alsj+ci1I44Q5KCFBNadkGP7ecHmbDJTADKzzJ4O0x+pSzffUScfp
1iHi4HNJcSXE1vXg3a3q/w4B5d+42P/RRHvbnkLLgamOGv9JpGoFFul4R4y2DwuzyN1V8O7nvKs8
TfBsZwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEqolhr8ae0WpB+q7G+trJiZ40j6xmadAMZ9/24G
eisxgIXDFDLcc8MQ+1txMvBI8GXt3JM+wIbKjBtePzFAoNxnVg4DjLINsWRpcuepnXgCTqwuIh6m
+6oGNiiNYUuoW7UbhgYMCEHNc2r09xGhj7Zunz5JJs1Qk0Plh2hPdbQ/
-----END CERTIFICATE-----
In order to do get a certificate, you’ll have to provide the certifying authorities of the customer with a certificate request. This can be done using the keytool command like this:
$JAVA_HOME/bin/keytool -certreq -alias ws_client -file CSR_FILE_PATH -keypass YOUR_KEY_PASSWORD \
-keystore PATH_TO_KEYSTORE/ws_client.keystore \
-storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m
The certificate request file looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCREUxEzARBgNVBAoTClNJRU1FTlMgQUcxGjAYBgNVBAsT
EU1lZGljYWwgU29sdXRpb25zMRgwFgYDVQQDEw8xOTIuMTY4LjE5MC4yMDAwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJG3R/srstGMdAhY3ZdahMC7jyV3JyKCYTKNn1qWyP5yLUjjhDkoIUE1
p2QY/t5weZsMlMAMrPMng7TH6lLN99RJx+nWIeLgc0lxJcTW9eDdrer/DgHl37jY/9FEe9ueQsuB
qY4a/0mkagUW6XhHjLYPC7PI3VXw7ue8qzxN8GxnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQCA
wOaXDF1siyqldzF/5IN/z0VS77nm6hD/JrxpSQi7E+SCT+G/+2I6HBhNba2FTGRqkIkcJ1eG9ZTA
kxMMEO2TI9eZ01xHXP5yUWhOozjHZAFHESpEbP+f7lVLS/EpiLUCCNaSRSMsXqOpi1sEX2v9GrCE
HiU8uypX+jFW/J5REg==
-----END NEW CERTIFICATE REQUEST-----
This certificate request file can then be sent to the person providing the certificate. Using this certificate request, he/she will generate a certificate which can then be imported this way:
$JAVA_HOME/bin/keytool -importcert -alias ws_client -file CER_FILE_PATH \
-keystore PATH_TO_KEYSTORE/ws_client.keystore \
-storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m
You will need to answer y when prompted whether you trust this certificate:
Owner: CN=benohead.com, OU=Blog, O=amazingweb GmbH, C=DE
Issuer: CN=benohead.com, OU=HenriCA, O=amazingweb GmbH, C=DE
Serial number: 534565a5
Valid from: Wed Apr 09 17:22:13 CEST 2014 until: Sat Apr 06 17:22:13 CEST 2024
Certificate fingerprints:
MD5: 4A:B5:07:64:A3:FF:16:E4:B9:28:A3:D9:BE:9D:7D:E6
SHA1: 69:C5:C9:9D:08:AE:17:37:2E:58:F6:77:C9:7B:59:59:E3:29:49:74
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Note that whether you use a self-generated certificate or one generated by a trusted CA, you will need to reference the keystore file and provide the keystore password in the configuration of your servlet container or application server (e.g. in jbossweb.sar/server.xml for JBoss).