Creating JSK for a Java based web server
Daniel Nashed – 27 October 2019 22:27:38
This weekend I have been looking into setting up a Flexnet server, which is based on a Java process that needs a certificate. The server uses the Java Key Store format (JKS) which isn't obvious to create form an existing certificate.
It's easier when you have an existing store. But for a server you usually need a new JKS file.
I found a quite straight forward but not obvious path.
This might be also interesting for other applications. That's why I am posting it here. Having that information would have saved me an hour of research.
-- Daniel
Convert PEM into P12
In many cases you have a PEM file with the key, leaf certificate, intermediate certs and the trusted root.
This can be converted to a pkcs12 (aka as p12) file. This format can be used by many web-servers. But like Domino needs it's own keyring format, Java needs the JKS format.
openssl pkcs12 -export -out lls.p12 -in lls.pem -password pass:mypassword
Import p12 into a new JKS
Once you created a p12, the Java keytool can convert the p12 into a JKS.
This step creates a new JKS file with all the information from the p12 file :-)
keytool -importkeystore -deststorepass mypassword -destkeystore lls.jks -srcstorepass mypassword -srckeystore lls.p12 -srcstoretype PKCS12
That's a quite straight forward way, which can be used to automate the process.
Show Certs
Once you have created the JKS, you can dump all information from the JKS file to check it's all included.
keytool -list -keystore lls.jks -storepass mypassword -v
- Comments [2]
1David Marko 28.10.2019 5:42:47 Creating JSK for a Java based web server
Much easier solution: https://keystore-explorer.org/
2Daniel Nashed 28.10.2019 6:53:40 Creating JSK for a Java based web server
Thanks David!
I didn't know that tool! I will have a look.
But depending on what you do, you will need a way that allows automation and no extra software installation.
If you don't need that specially for Windows this is a great tool to have!
Linux admin are used to cryptic command line stuff :-)
-- Daniel