Site icon Narayana Tutorial

How To Generate a Self Signed Certificate Using Java Keytool

Classes and Objects interview questions

How To Generate a Self Signed Certificate Using Java Keytool

A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can’t know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. In this post we will learn How To Generate a Self Signed Certificate Using Java Keytool.

self signed certificates

However, self signed certificates have their place as follows.

An Intranet

When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.

A Java development server

There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.

Personal sites with few visitors

If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

How To Generate a Self Signed Certificate Using RSA Algorithm by Java Keytool

RSA is public-key encryption technology developed by RSA Data Security, Inc.

Step 1

Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. C:\Program Files\Java\jre6\bin on Windows machines).

Step 2

Run the following command to generate jks file.

Command

C:\Program Files\Java\jre6\bin> keytool -genkey -keyalg RSA -alias selfsignedjks -keystore JKSkeystore.jks -storepass password -validity 60 -keysize 2048

Bold Type indicates in-built keywords and Italic Type indicate user defined keywords to enter

Keytool Options

keytool -genkeypair [OPTION]…

Generates a key pair

Options:

-alias : alias name of the entry to process
-keyalg : key algorithm name
-keysize : key bit size
-sigalg : signature algorithm name
-destalias : destination alias
-dname : distinguished name
-startdate : certificate validity start date/time
-ext : X.509 extension
-validity : validity number of days
-keypass : key password
-keystore : keystore name
-storepass : keystore password
-storetype : keystore type
-providername : provider name
-providerclass : provider class name
-providerarg : provider argument
-providerpath : provider classpath
-v : verbose output
-protected : password through protected mechanism

Use “keytool -help” for all available commands

Step 3

Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g. www.narayanatutorial.com)

What is your first and last name?
[Unknown]: Narayanaswamy Ragi
What is the name of your organizational unit?
[Unknown]: Tutorial
What is the name of your organization?
[Unknown]: narayanatutorial
What is the name of your City or Locality?
[Unknown]: india
What is the name of your State or Province?
[Unknown]: andhrapradesh
What is the two-letter country code for this unit?
[Unknown]: 91
Is CN=Narayanaswamy Ragi, OU=Tutorial, O=narayanatutorial, C=91 correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
They don’t match. Try again
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:

Validate the server’s certificate

Using the following command we can validate the self signed certificate.

C:\Program Files\Java\jre6\bin>keytool -list -keystore JKSkeystore.jks -v

Output

Enter keystore password: *****

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: selfsignedjks
Creation date: Dec 29, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]

*******************************************
*******************************************

Export a Self Signed Certificate(JKS) to Certificate(CER) using Java Keytool (JKS–>CER)

Export the generated certificate to the selfsignedjks.cer file (or client.cer if you prefer), using the following command format:

C:Program FilesJavajre6bin> keytool -export -alias selfsignedjks -storepass -file JKSkeystore.cer -keystore JKSkeystore.jks

Output

Certificate stored in file

Verify the contents of the certificate file

If you wish, you can double-check the contents of the certificate file to make sure it contains the correct certificate

C:Program FilesJavajre6bin> keytool -printcert -file JKSkeystore.cer -v

Output

Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]

Import the certificate into your application’s trust store

The Key Tool utility’s -import option installs a certificate from a certificate file in a specified trust store.

For example, if your client application’s trust store is kept in the file /local/https/TrustKeyStore, the following command will install the certificate from the file slas.cer created above.

C:\Program Files\Java\jre6\bin>keytool -import -file JKSkeystore.cer -keystore “/local/https/TrustKeyStore

Output

Enter keystore password: ****
Re-enter new password: ****
Owner: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Issuer: CN=narayanaswamy, OU=IT, O=narayanatutorial, L=banglore, ST=karnataka, C=91
Serial number: 1f974c1b
Valid from: Tue Dec 29 10:21:49 IST 2015 until: Fri Dec 23 10:21:49 IST 2016
Certificate fingerprints:
MD5: 3B:D8:37:17:47:51:1B:EF:AD:C9:BE:D4:00:10:53:98
SHA1: D1:EC:71:EE:30:73:2A:77:A3:CE:91:76:51:B8:C4:93:7E:34:F7:20
SHA256: 26:79:4A:7B:71:8F:5E:2D:71:49:0F:67:B9:2E:E4:BA:B3:92:F8:BB:E1:
53:3B:92:5D:18:DC:A1:32:45:C9:E2
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 0C 87 15 62 B2 D6 FB 9C DD 8B D8 B0 D3 63 40 ….b………c@
0010: 2F 07 07 B7 /…
] ]

Trust this certificate? [no]: yes
Certificate was added to keystore