How To Generate a Self Signed Certificate Using Java Keytool
Table of Contents
A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can’t know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. In this post we will learn How To Generate a Self Signed Certificate Using Java Keytool.
self signed certificates
However, self signed certificates have their place as follows.
An Intranet
When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
A Java development server
There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
Personal sites with few visitors
If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.
Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.
How To Generate a Self Signed Certificate Using RSA Algorithm by Java Keytool
RSA is public-key encryption technology developed by RSA Data Security, Inc.
Step 1
Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. C:\Program Files\Java\jre6\bin on Windows machines).
Step 2
Run the following command to generate jks file.
Command
C:\Program Files\Java\jre6\bin> keytool -genkey -keyalg RSA -alias selfsignedjks -keystore JKSkeystore.jks -storepass password -validity 60 -keysize 2048
Bold Type indicates in-built keywords and Italic Type indicate user defined keywords to enter
Keytool Options
keytool -genkeypair [OPTION]…
Generates a key pair
Options:
-alias : alias name of the entry to process
-keyalg : key algorithm name
-keysize : key bit size
-sigalg : signature algorithm name
-destalias : destination alias
-dname : distinguished name
-startdate : certificate validity start date/time
-ext : X.509 extension
-validity : validity number of days
-keypass : key password
-keystore : keystore name
-storepass : keystore password
-storetype : keystore type
-providername : provider name
-providerclass : provider class name
-providerarg : provider argument
-providerpath : provider classpath
-v : verbose output
-protected : password through protected mechanismUse “keytool -help” for all available commands
Step 3
Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g. www.narayanatutorial.com)
What is your first and last name?
[Unknown]: Narayanaswamy Ragi
What is the name of your organizational unit?
[Unknown]: Tutorial
What is the name of your organization?
[Unknown]: narayanatutorial
What is the name of your City or Locality?
[Unknown]: india
What is the name of your State or Province?
[Unknown]: andhrapradesh
What is the two-letter country code for this unit?
[Unknown]: 91
Is CN=Narayanaswamy Ragi, OU=Tutorial, O=narayanatutorial, C=91 correct?
[no]: yesEnter key password for
(RETURN if same as keystore password):
Re-enter new password:
They don’t match. Try again
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
Validate the server’s certificate
Using the following command we can validate the self signed certificate.
C:\Program Files\Java\jre6\bin>keytool -list -keystore JKSkeystore.jks -v
Output
Enter keystore password: *****
Keystore type: JKS
Keystore provider: SUNYour keystore contains 1 entry
Alias name: selfsignedjks
Creation date: Dec 29, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]*******************************************
*******************************************
Export a Self Signed Certificate(JKS) to Certificate(CER) using Java Keytool (JKS–>CER)
Export the generated certificate to the selfsignedjks.cer file (or client.cer if you prefer), using the following command format:
C:Program FilesJavajre6bin> keytool -export -alias selfsignedjks -storepass -file JKSkeystore.cer -keystore JKSkeystore.jks
Output
Certificate stored in file
Verify the contents of the certificate file
If you wish, you can double-check the contents of the certificate file to make sure it contains the correct certificate
C:Program FilesJavajre6bin> keytool -printcert -file JKSkeystore.cer -v
Output
Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3Extensions:
1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]
Import the certificate into your application’s trust store
The Key Tool utility’s -import option installs a certificate from a certificate file in a specified trust store.
For example, if your client application’s trust store is kept in the file /local/https/TrustKeyStore, the following command will install the certificate from the file slas.cer created above.
C:\Program Files\Java\jre6\bin>keytool -import -file JKSkeystore.cer -keystore “/local/https/TrustKeyStore”
Output
Enter keystore password: ****
Re-enter new password: ****
Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]Trust this certificate? [no]: yes
Certificate was added to keystore
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in the IT industry for more than 12 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting, Website Development, and IAM(ForgeRock) Specialist
I am a self-learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.