Creating a key and trust store with JSSE in Java

Creating a key and trust store with JSSE in Java
Server Keystore and Truststore:

Open a command window.
Go to your private directory under your web application directory.
E.g. c:\Tomcat 4.1\webapps\CSI5389\private>
Type the following command to create a keystore for the server. The keystore will have a private key associated with it.
keytool –genkey –alias taserver –keyalg RSA –keystore server [Return]

It will ask for the following parameter value:

Enter keystore password: <password1>
What is your first and last name?

[Unknown]: taserver

What is the name of your organizational unit?

[Unknown]: SITE

What is the name of your organization?

[Unknown]: University of Ottawa

What is the name of your City or Locality?

[Unknown]: Ottawa

What is the name of your State or Province?

[Unknown]: Ontario

What is the two-letter country code for this unit?

[Unknown]: CA

Is CN=taserver, OU=SITE, O=" University of Ottawa",

L= Ottawa, ST= Ontario, C=CA correct?

[no]: yes

Enter key password for < taserver>

(RETURN if same as keystore password): <Return>

Type the following command to export the self-signed certificate:

keytool -export -alias taserver -keystore server -rfc -file taserver.cer [Return]

Enter keystore password: <password1>

Copy the self-signed certificate into the directory Java_home\Jre\Lib\Security
Change your directory to Java_home\Jre\Lib\Security>
Import the self-signed certificate to a trust store.

keytool -import -alias ca -file taserver.cer -keystore cacerts –storepass changeit [Return]

Trust this certificate: [Yes]

[Here we are importing the self-signed certificate into truststore by an alias name ca. The default password of cacerts is changeit.]

If you make a mistake, you can delete the alias ca from the truststore cacerts by the following command, and then follow step 7 again.:

Keytool –delete –alias ca –keystore cacerts –storepass changeit [Return]

Client Keystore and Truststore:

Open a command window.
Go to your private directory under your web application directory.
E.g. c:\Tomcat 4.1\webapps\CSI5389\private>
Type the following command to create a keystore for the server. The keystore will have a private key associated with it.
keytool –genkey –alias taclient –keyalg RSA –keystore client [Return]

It will ask for the following parameter value:

Enter keystore password: <password2>
What is your first and last name?

[Unknown]: taclient

What is the name of your organizational unit?

[Unknown]: SITE

What is the name of your organization?

[Unknown]: University of Ottawa

What is the name of your City or Locality?

[Unknown]: Ottawa

What is the name of your State or Province?

[Unknown]: Ontario

What is the two-letter country code for this unit?

[Unknown]: CA

Is CN=taserver, OU=SITE, O=" University of Ottawa",

L= Ottawa, ST= Ontario, C=CA correct?

[no]: yes

Enter key password for < taserver>

(RETURN if same as keystore password): <Return>

Type the following command to export the self-signed certificate:

keytool -export -alias taclient -keystore client -rfc -file taclient.cer [Return]

Enter keystore password: <password2>

Copy the self-signed certificate into the directory Java_home\Jre\Lib\Security
Change your directory to Java_home\Jre\Lib\Security>
Import the self-signed certificate to the same trust store.

keytool -import -alias ca1 -file taclient.cer -keystore cacerts –storepass changeit [Return]

Trust this certificate: [Yes]

[Here we are importing the self-signed certificate into truststore by an alias name ca1. The default password of cacerts is changeit.]

If you make a mistake, you can delete the alias ca from the truststore cacerts by the following command, and then follow step 7 again.:

Keytool –delete –alias ca1 –keystore cacerts –storepass changeit [Return]