Skip to main content Skip to complementary content

Create the trusted client certificate

About this task

You are going to use a keytool (provided with the JDK) to manipulate the keys and certificates.

Procedure

  1. Create two key pairs:
    • one for the server side (use for SSL),

    • one as an example of the client side (use for "trust", should be performed for each client, on the client side).

    mkdir -p etc/keystores
    cd etc/keystores
    keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks
    keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks
    These key are self-signed. In a production system, you should use a Certificate Authority (CA).
  2. Export the client certificate to be imported in the server keystore:
    keytool -export -rfc -keystore client.jks -storepass password -alias clientkey -file client.cer
    keytool -import -trustcacerts -keystore keystore.jks -storepass password -alias clientkey -file client.cer
  3. Check that the client certificate is trusted in our keystore:
    keytool -list -v -keystore keystore.jks
    ...
    Alias name: clientkey
    Creation date: Dec 12, 2012
    Entry type: trustedCertEntry
    ...
  4. You can now remove the client.cer certificate.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!