Create Public Private KeyStore for Client and Server
This tutorial explains how to create a public private keystore for client and server. You can use these keystores to secure communication between client and server. Following steps are required for generating a public private keystore:
- Create a keystore for client and server.
- Export public certificate from keystores.
- Import public certificates in keystore client or server.
Generate Client and Server Keystores
We start by creating a keystore for the server. Execute the following command in a terminal. This command generates a 2048-bit RSA key pair, which is valid for 365 days and stored under the alias server in the server.jks keystore file.
keytool -genkey \
-alias server \
-keyalg RSA \
-validity 365 \
-keystore server.jksWhen you execute the previous command, you’ll be prompted to answer a series of questions. First, you’ll have to provide a password. You’ll need this password to modify your keystore later, so make sure you remember it. Next, you’ll receive a couple of questions, you can answer them as you wish.
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: memorynotfound.com
What is the name of your organizational unit?
[Unknown]: server-keystore
What is the name of your organization?
[Unknown]: memorynotfound
What is the name of your City or Locality?
[Unknown]: Antwerp
What is the name of your State or Province?
[Unknown]: Antwerp
What is the two-letter country code for this unit?
[Unknown]: BE
Is CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE correct?
[no]: y
Enter key password for
(RETURN if same as keystore password):
When you successfully answered all the questions, the server.jks keystore file is created by the keytool, containing the self signed certificate. In the same way, you can create a keystore for the client using the following command. This will generate a client.jks keystore file.
keytool -genkey \
-alias client \
-keyalg RSA \
-validity 365 \
-keystore client.jksExport Public Key Certificate
We can extract the public key from the keystore using the following command. This generates a file called server.cert containing the public certificate from the server.jks keystore.
keytool -export \
-file server.cert \
-keystore server.jks \
-storepass changeit \
-alias serverIn the same way we extracted the server’s public key, we can extract the client’s public key with the following command. This generates a file called client.cert containing the public certificate from the client.jks keystore.
keytool -export \
-file client.cert \
-keystore client.jks \
-storepass changeit \
-alias clientView Certificate
You can view the content of these certificates using the following command.
keytool -printcert -v \
-file server.certThis will generate the following output.
Owner: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=Antwerp, ST=Antwerp, C=BE
Serial number: 25c1ebef
Valid from: Tue Mar 29 11:29:54 CEST 2016 until: Wed Mar 29 11:29:54 CEST 2017
Certificate fingerprints:
MD5: 81:F4:0D:E1:D2:6D:2E:1C:01:72:EF:14:A4:27:3E:7B
SHA1: 04:7C:99:D3:69:76:8B:07:63:A6:8E:A5:FA:F6:E7:EE:95:32:EC:10
SHA256: C8:67:10:1A:2C:2B:BF:42:AC:78:63:69:4D:54:FA:5E:03:D0:40:C6:76:5A:99:C5:4D:5F:95:20:37:06:64:C3
Signature algorithm name: SHA256withRSA
Version: 3
...Import Public Key Keystore
Finally, we import client’s public key certificate in the server’s keystore.
keytool -import \
-file client.cert \
-keystore server.jks \
-storepass changeit \
-alias client-publicIn the same way, we import the server’s public key certificate in the client’s keystore.
keytool -import \
-file server.cert \
-keystore client.jks \
-storepass changeit \
-alias server-publicView Content Keystore
To wrap up, we can verify the content of the keystore using the following command. This will list all available certificates inside the given keystore.
keytool -list -v \
-keystore server.jks \
-storepass changeitThe previous command generates the following output.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: server
Creation date: Mar 29, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=server-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Serial number: 68cb11e4
Valid from: Tue Mar 29 11:44:03 CEST 2016 until: Wed Mar 29 11:44:03 CEST 2017
Certificate fingerprints:
MD5: 41:E6:C9:31:52:2B:3F:66:01:4F:40:F8:CB:28:DF:57
SHA1: 88:16:52:0A:C3:A7:3D:8C:2B:51:95:BB:A0:C4:89:8A:DD:42:0C:35
SHA256: 87:BE:D4:31:D2:97:35:D9:83:3B:B6:1E:9F:6A:02:BD:AE:D7:F1:4B:CD:13:E3:56:4A:19:B3:70:AF:37:1F:46
Signature algorithm name: SHA256withRSA
Version: 3
...
*******************************************
Alias name: client-public
Creation date: Mar 29, 2016
Entry type: trustedCertEntry
Owner: CN=memorynotfound.com, OU=client-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Issuer: CN=memorynotfound.com, OU=client-keystore, O=memorynotfound, L=antwerp, ST=antwerp, C=BE
Serial number: 6f5d4736
Valid from: Tue Mar 29 11:44:36 CEST 2016 until: Wed Mar 29 11:44:36 CEST 2017
Certificate fingerprints:
MD5: 0B:BB:D9:8B:26:15:7A:9C:BD:D7:56:F6:B8:F2:D2:65
SHA1: 09:8D:EA:33:45:F2:4F:AD:36:B1:E0:13:44:08:50:8C:86:09:1F:90
SHA256: 6F:9C:00:92:30:E4:08:C9:8B:3D:F1:71:73:18:45:6E:E4:72:C8:D9:D8:A6:B0:FD:52:01:64:0F:89:BA:08:DD
Signature algorithm name: SHA256withRSA
Version: 3
...After this you have successfully created a public-private keystore for the client and server. You can use these keystores for securing communication between server and client.
Great help!!