Create Public Private KeyStore for Client and Server

This tutorial explains how to create a public private keystore for client and server. You can use these keystores to secure communication between client and server. Following steps are required for generating a public private keystore:

  1. Create a keystore for client and server.
  2. Export public certificate from keystores.
  3. Import public certificates in keystore client or server.

Generate Client and Server Keystores

We start by creating a keystore for the server. Execute the following command in a terminal. This command generates a 2048-bit RSA key pair, which is valid for 365 days and stored under the alias server in the server.jks keystore file.

keytool -genkey \
        -alias server \
        -keyalg RSA \
        -validity 365 \
        -keystore server.jks

When you execute the previous command, you’ll be prompted to answer a series of questions. First, you’ll have to provide a password. You’ll need this password to modify your keystore later, so make sure you remember it. Next, you’ll receive a couple of questions, you can answer them as you wish.

Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  memorynotfound.com
What is the name of your organizational unit?
  [Unknown]:  server-keystore
What is the name of your organization?
  [Unknown]:  memorynotfound
What is the name of your City or Locality?
  [Unknown]:  Antwerp
What is the name of your State or Province?
  [Unknown]:  Antwerp
What is the two-letter country code for this unit?
  [Unknown]:  BE
Is CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE correct?
  [no]:  y

Enter key password for 
	(RETURN if same as keystore password):  

When you successfully answered all the questions, the server.jks keystore file is created by the keytool, containing the self signed certificate. In the same way, you can create a keystore for the client using the following command. This will generate a client.jks keystore file.

keytool -genkey \
        -alias client \
        -keyalg RSA \
        -validity 365 \
        -keystore client.jks

Export Public Key Certificate

We can extract the public key from the keystore using the following command. This generates a file called server.cert containing the public certificate from the server.jks keystore.

keytool -export \
        -file server.cert \
        -keystore server.jks \
        -storepass changeit \
        -alias server

In the same way we extracted the server’s public key, we can extract the client’s public key with the following command. This generates a file called client.cert containing the public certificate from the client.jks keystore.

keytool -export \
        -file client.cert \
        -keystore client.jks \
        -storepass changeit \
        -alias client

View Certificate

You can view the content of these certificates using the following command.

keytool -printcert -v \
        -file server.cert

This will generate the following output.

Owner: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE
Serial number: 25c1ebef
Valid from: Tue Mar 29 11:29:54 CEST 2016 until: Wed Mar 29 11:29:54 CEST 2017
Certificate fingerprints:
	 MD5:  81:F4:0D:E1:D2:6D:2E:1C:01:72:EF:14:A4:27:3E:7B
	 SHA1: 04:7C:99:D3:69:76:8B:07:63:A6:8E:A5:FA:F6:E7:EE:95:32:EC:10
	 SHA256: C8:67:10:1A:2C:2B:BF:42:AC:78:63:69:4D:54:FA:5E:03:D0:40:C6:76:5A:99:C5:4D:5F:95:20:37:06:64:C3
	 Signature algorithm name: SHA256withRSA
	 Version: 3
...

Import Public Key Keystore

Finally, we import client’s public key certificate in the server’s keystore.

keytool -import \
        -file client.cert \
        -keystore server.jks \
        -storepass changeit \
        -alias client-public

In the same way, we import the server’s public key certificate in the client’s keystore.

keytool -import \
        -file server.cert \
        -keystore client.jks \
        -storepass changeit \
        -alias server-public

View Content Keystore

To wrap up, we can verify the content of the keystore using the following command. This will list all available certificates inside the given keystore.

keytool -list -v \
        -keystore server.jks \
        -storepass changeit

The previous command generates the following output.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: server
Creation date: Mar 29, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Serial number: 68cb11e4
Valid from: Tue Mar 29 11:44:03 CEST 2016 until: Wed Mar 29 11:44:03 CEST 2017
Certificate fingerprints:
	 MD5:  41:E6:C9:31:52:2B:3F:66:01:4F:40:F8:CB:28:DF:57
	 SHA1: 88:16:52:0A:C3:A7:3D:8C:2B:51:95:BB:A0:C4:89:8A:DD:42:0C:35
	 SHA256: 87:BE:D4:31:D2:97:35:D9:83:3B:B6:1E:9F:6A:02:BD:AE:D7:F1:4B:CD:13:E3:56:4A:19:B3:70:AF:37:1F:46
	 Signature algorithm name: SHA256withRSA
	 Version: 3

...
*******************************************


Alias name: client-public
Creation date: Mar 29, 2016
Entry type: trustedCertEntry

Owner: CN=memorynotfound.com, OU=client-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=client-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Serial number: 6f5d4736
Valid from: Tue Mar 29 11:44:36 CEST 2016 until: Wed Mar 29 11:44:36 CEST 2017
Certificate fingerprints:
	 MD5:  0B:BB:D9:8B:26:15:7A:9C:BD:D7:56:F6:B8:F2:D2:65
	 SHA1: 09:8D:EA:33:45:F2:4F:AD:36:B1:E0:13:44:08:50:8C:86:09:1F:90
	 SHA256: 6F:9C:00:92:30:E4:08:C9:8B:3D:F1:71:73:18:45:6E:E4:72:C8:D9:D8:A6:B0:FD:52:01:64:0F:89:BA:08:DD
	 Signature algorithm name: SHA256withRSA
	 Version: 3

...

After this you have successfully created a public-private keystore for the client and server. You can use these keystores for securing communication between server and client.

References

You may also like...