- Create a CSR (Certificate Signing Request). Tip: In windows use git bash to run the openssl commands.
openssl req -out myapp.csr -new -newkey rsa:2048 -nodes -keyout myapp.key
Send the csr to a Certificate Authority (CA) to get a signed cert. Keep myapp.key in a safe place. Once we get a signed certificate import it along with the key into a keystore.
- Export myapp.crt received from the Certificate Authority into a p12 keystore. Tip: Using winpty before openssl will avoid openssl hung issues in windows.
winpty openssl pkcs12 -export -in myapp.crt -inkey myapp.key -name myapp.jsession4d.com -out myapp.p12
- If you want to add another certificate / private key entry from another keystore into this p12 keystore use the below keytool command.
keytool -importkeystore -deststorepass mypassword -destkeystore myapp.p12 -srckeystore anotherapp.p12 -srcstoretype PKCS12
After this command, myapp.p12 will contain 2 privatekey entries (myapp.jsession4d.com & anotherapp.jsession4d.com)
Note: For the above myapp.p12 to work properly the key password and store password of anotherapp.p12 should be same as the key/store password for myapp.p12. Otherwise we would see the below errors while using the keystore (with multiple private key entries / certificates).
Errors: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
(or)
java.security.UnrecoverableKeyException: Cannot recover key
- Command to change store password and key password.
keytool -storepasswd -new mypassword -keystore anotherapp.p12 -storepass oldpassword
keytool -keypasswd -alias anotherapp.jsession4d.com -keypass oldpassword -new mypassword -keystore anotherapp.p12 -storepass mypassword
- Command to list and view the certificates / entries in a p12 keystore.
keytool -v -list -storetype pkcs12 -keystore myapp.p12
- Command to change a p12 keystore to a JKS keystore (if needed)
keytool -importkeystore -deststorepass mypassword -destkeystore myapp.jks -srckeystore myapp.p12 -srcstoretype PKCS12
- To be able to view the password in keytool commands while you are typing use git bash in windows. In command prompt the password will not be visible.
$ keytool -importkeystore -deststorepass mypassword -destkeystore myapp.jks -srckeystore myapp.p12 -srcstoretype PKCS12
Importing keystore myapp.p12 to myapp.jks…
Enter source keystore password: 7&$$Lpwd
- Command to verify the key password.
$ keytool -keypasswd -keystore myapp.pkcs12 -alias myalias.jsession4d.com
Enter keystore password: mykeystorepwd
//If the key password and keystore password are same, you will get a prompt for new password like below.
New key password for <myalias.jsession4d.com>: mynewkeypassword
//If the key password and keystore password are NOT same, you will get a prompt to Enter key password.
Enter key password for <myalias.jsession4d.com>mydiffkeypassword