Create the trusted client certificate

About this task

You are going to use a keytool (provided with the JDK) to manipulate the keys and certificates.

Procedure

Create two key pairs:
- one for the server side (use for SSL),
- one as an example of the client side (use for "trust", should be performed for each client, on the client side).
```
mkdir -p etc/keystores
cd etc/keystores
keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks
keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks
```
These key are self-signed. In a production system, you should use a Certificate Authority (CA).

Export the client certificate to be imported in the server keystore:

keytool -export -rfc -keystore client.jks -storepass password -alias clientkey -file client.cer
keytool -import -trustcacerts -keystore keystore.jks -storepass password -alias clientkey -file client.cer

Check that the client certificate is trusted in our keystore:

keytool -list -v -keystore keystore.jks
...
Alias name: clientkey
Creation date: Dec 12, 2012
Entry type: trustedCertEntry
...

You can now remove the client.cer certificate.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here