Tech Brainwave

A Road Map for Innovative Technologies

Step by step tutorial to create Keystore and Truststore file

Posted by giftsam Posted on Dec - 11 - 2010

Introduction
Truststore and Keystore file will be used in the JSSE to provide secured transaction between the client and server. The keytool command is used to create the key store file which contains the public/private keys and then using keystore, Create a truststore file which contains only public keys. In this article, Let us learn how to create Truststore and Keystore file using 5 easy steps given below,

  1. Generate a private key in keystore file
  2. Verifiy the newly created keystore file
  3. Export the certificate
  4. Import the certificate in to the truststore file
  5. Verifiy the newly created trust store file

Step 1Generate a private key in keystore file
Java Keytool stores the keys and certificates in the keystore file. If you are a “Windows” user, the Keytool command should be executed in the Java bin directory. In my case the directory is “C:\Program Files\Java\jdk1.6.0_12″ and the following command should be executed,



keytool -genkeypair -alias certificatekey -keyalg RSA -validity 7 -keystore keystore.jks 

Once the preceding command is executed, you will be asked for the password, For this article, Let us give the password as “techbrainwave”. Once you give the password, you will be asking for the details as specified in the image below

Next we should verify the newly created key store file.

Step 2 – Verifiy the newly created keystore file
In Step2, Let us verify the newly created keystore.jks file using the following command,



keytool -list -v -keystore keystore.jks


After excuting the above command, you will get the details as specified in the image below,

Next we should export the certificate.

Step 3 – Export the certificate
In step3, Either a self signed certificate or a commercial certificate from “Verisign” or other certificate authority should be exported. For exporting verisign certificates, the article “Steps to configure Verisign certificate for Oracle Glassfish Server” would be helpful. In this article, Let us see how to export a self signed certificate.

—–BEGIN CERTIFICATE—–
MIICXjCCAccCBDwircEwDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
MRIwEAYDVQQHEwlQYWxvIEFsdG8xHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMsIEluYy4xFjAU
BgNVBAsTDUphdmEgU29mdHdhcmUxDTALBgNVBAMTBER1a2UwHhcNMDExMjIxMDMzNDI1WhcNMDEx
MjI4MDMzNDI1WjB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0
bzEfMB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEWMBQGA1UECxMNSmF2YSBTb2Z0d2Fy
ZTENMAsGA1UEAxMERHVrZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1loObJzNXsi5aSr8
N4XzDksD6GjTHFeqG9DUFXKEOQetfYXvA8F9uWtz8WInrqskLTNzwXgmNeWkoM7mrPpK6Rf5M3G1
NXtYzvxyi473Gh1h9k7tjJvqSVKO7E1oFkQYeUPYifxmjbSMVirWZgvo2UmA1c76oNK+NhoHJ4qj
eCUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCRPoQYw9rWWvfLPQuPXowvFmuebsTc28qI7iFWm6BJ
TT/qdmzti7B5MHOt9BeVEft3mMeBU0CS2guaBjDpGlf+zsK/UUi1w9C4mnwGDZzqY/NKKWtLxabZ
5M+4MAKLZ92ePPKGpobM2CPLfM8ap4IgAzCbBKd8+CMp8yFmifze9Q==
—–END CERTIFICATE—–

The preceding self signed certificate should be stored in a file named “selfsignedcert.cer” and then execute the following command,



keytool -export -alias certificatekey -keystore keystore.jks -rfc -file selfsignedcert.cer


After executing the above command, you will be asked for the password, Give the same password “techbrainwave” and you will get the details as specified in the image below,

Next we should import the certificate in to the truststore file.

Step 4 – Import the certificate in to the truststore file
In step4, Let us import the certificate by executing the below command,



keytool -import -alias certificatekey -file selfsignedcert.cer \
-keystore truststore.jks


After executing the preceding command,  Give the same password “techbrainwave” and you will get the details as specified in the image below,

Next let us verify the newly created trust store file.

Step 5 – Verify the newly created trust store file
In step5, verify the newly created trust store file by executing the following command,



keytool -list -v -keystore truststore.jks


After executing the preceding command, you will get the details as specified in the image below,

Thats all folks. I hope this article clearly gives the Step by step tutorial to create  simple Keystore and Truststore file. If you find this article is useful for you, dont forget to leave your valuable comments. Have a joyous code day.

Categories: Java, JSSE, Networking, Remoting

41 Responses so far.

  1. [...] “Truststore” file. The Creation of these two files has been explained in the article “Step by step tutorial to create Keystore and Truststore file “. The factory classes used in the SSLContextGenerator class [...]

    Well-loved. Like or Dislike: Thumb up 48 Thumb down 4

  2. bojan says:

    hello, can i use keystore and truststore created by this tuturial for mutual certificate security on glassfish web server? i tried setting web service and web service client using self-signed certificate,and i get Validation of self signed certificate failed error.

    Well-loved. Like or Dislike: Thumb up 17 Thumb down 2

    [Reply]

  3. tactoth says:

    I would see this is a very useful article, very intuitive and informative. It really helps me much on understanding certificates, private/public keys, etc.

    Well-loved. Like or Dislike: Thumb up 10 Thumb down 2

    [Reply]

  4. tims says:

    It is not clear to me when the truststore file is created.

    Thumb up 2 Thumb down 1

    [Reply]

    giftsam Reply:

    In step4, the truststore file is created. The truststore file contains only public keys.

    Well-loved. Like or Dislike: Thumb up 8 Thumb down 0

    [Reply]

  5. It’s very good & clearly mention the right steps.

    Thanks

    Thumb up 2 Thumb down 0

    [Reply]

  6. Rishu Aggarwal says:

    Nice work techbrainwave !! very handful info..

    Thumb up 2 Thumb down 0

    [Reply]

  7. [...] 6.1)  Generating a KeyStore and TrustStore (Oracle documentation)  –> (link) 6.2) JKS and JCEKS keystores      –> (link) JCEKS keystore (Oracle documentation) –> (link) 6.3) Creating a key and trust store with JSSE in Java( client and server) –> (link) 6.4) keystore vs. truststore (victor-jan’s blog) –> (link) 6.5) Step by step tutorial to create Keystore and Truststore file (techbrainwave’s website) –> (link) [...]

    Thumb up 0 Thumb down 0

  8. Adam Mauger says:

    “The preceding self signed certificate should be stored in a file named “selfsignedcert.cer” and then execute the following command,

    keytool -export -alias certificatekey -keystore
    keystore.jks -rfc -file selfsignedcert.cer”

    Er, selfsignedcert.cer is just overwritten….

    Thumb up 1 Thumb down 0

    [Reply]

  9. sureshkumar Chinnaraj says:

    This tutorial explains very well about signing jar files thanks a lot!!!

    Thumb up 0 Thumb down 1

    [Reply]

  10. Narendra says:

    Can I copy this file somewhere else and use it ?

    Thumb up 1 Thumb down 0

    [Reply]

    giftsam Reply:

    Narendra, Which file you want to copy?

    Thumb up 0 Thumb down 1

    [Reply]

  11. Ram says:

    Really useful information on keystore and truststore with simple explaination

    Thumb up 2 Thumb down 0

    [Reply]

  12. Ron says:

    Thanks for the great tutorial.. I want to use the certificate and truststore in my client server application.

    How can I use it. I am using JSSE.
    Just wondering how to use generated certificate and truststore in my application.

    Thanks

    Thumb up 0 Thumb down 1

    [Reply]

  13. Nurlan says:

    I need a keytool command which imports an existing private key(.pem) into the keystore.jks.

    I tried
    “keytool -import -trustcacerts -file mypem.pem -alias CA_ALIAS -keystore keystore.jks”
    but it gave me the following error
    “keytool error: java.lang.Exception: Input not an X.509 certificate”
    Can anybody help??

    Thanks in advance.
    Nurlan

    Thumb up 3 Thumb down 0

    [Reply]

    Madhurima Reply:

    Hi All,

    I am also facing the same issue ,please help me.

    Thanks,
    Madhurima

    Thumb up 0 Thumb down 0

    [Reply]

    J Brun Reply:

    There is NO keytool command that does this Nurlan. You will have to use another tool or script to convert everything into one keystore file.
    You can create a keystore file (with your private key) and a truststore file (with your public cert), as described above and configure your tomcat or java application to use both files.

    Thumb up 0 Thumb down 0

    [Reply]

  14. Jas says:

    step by step explanation helped me a lot in understanding certificate generation and keystore generation. Great Tutorial

    Well-loved. Like or Dislike: Thumb up 5 Thumb down 0

    [Reply]

  15. ammy says:

    wonderful!!! thanks for such a detail article.

    Thumb up 1 Thumb down 0

    [Reply]

  16. Eknath says:

    Nice Tutorial.. Helped me a lot. and saved time.

    Thanks a Ton !!!!!!!!!!!!

    Thumb up 1 Thumb down 0

    [Reply]

  17. Naidu says:

    How to create the private key and public key for a self signed certificate ?

    Thumb up 0 Thumb down 0

    [Reply]

  18. ahmet says:

    thank you very much.. perfect tutorial..

    Well-loved. Like or Dislike: Thumb up 4 Thumb down 0

    [Reply]

  19. ratish says:

    awesome man

    Thumb up 1 Thumb down 0

    [Reply]

  20. [...] The keystore and truststore referenced in the code snippit above were created using the following tutorial: http://www.techbrainwave.com/?p=953 [...]

    Thumb up 0 Thumb down 0

  21. john cena says:

    after creating truststore.jks what is the next step?

    Thumb up 0 Thumb down 0

    [Reply]

  22. Pankaj says:

    This tutorial explains very well creating keystore and trusstore.

    very thanks………………..

    Thumb up 0 Thumb down 0

    [Reply]

  23. Karthik says:

    This link was very useful. Thank you.

    Thumb up 0 Thumb down 0

    [Reply]

  24. thiru says:

    good one. thanks.

    Thumb up 0 Thumb down 0

    [Reply]

  25. mahesh says:

    wonderful and excellent

    Thumb up 1 Thumb down 0

    [Reply]

  26. Trev Thorpe says:

    Very useful link, cleared up an issue I was having.

    Thanks,

    – Trev

    Thumb up 1 Thumb down 0

    [Reply]

  27. Pritam says:

    Gr8 information, helpful in implementation, and provide good guidace for development.

    Thumb up 1 Thumb down 0

    [Reply]

  28. Lalit says:

    This is really great tutorial. Thanks buddy.

    Thumb up 2 Thumb down 0

    [Reply]

  29. Solly says:

    Before I read this article, I was clueless about Keystore and trustore files. Simple straight to the point article…..thanks ma.

    Thumb up 1 Thumb down 0

    [Reply]

  30. Chuck says:

    Very useful.

    Thumb up 0 Thumb down 0

    [Reply]

  31. mehdi says:

    I did all tutorial above,and set my tomcat cofig to these files.after that the tomcat is running well in both http and https protocols, but can you give more information that how can I produce files that are trusted for browsers,when I run my browser on https protocol,the browser give me alert that this site is not trusted.
    mercy.

    Thumb up 0 Thumb down 0

    [Reply]

  32. Alaa says:

    Thanks a lot

    Thumb up 0 Thumb down 0

    [Reply]

  33. Ashrujit Pal says:

    Awsome guideline..

    Thumb up 0 Thumb down 0

    [Reply]

  34. Ashrujit Pal says:

    Very helpfull guideline..

    Thumb up 0 Thumb down 0

    [Reply]

  35. Gaurav says:

    When I create keystore file through steps 1-2 but while checking about its creation but it giving error java.lang.exception :Keystore File does not exist : C:\Users\348752\.keystore

    Can u please halp me out.

    Thumb up 0 Thumb down 0

    [Reply]

  36. sam says:

    clear steps and very helpful

    Thumb up 0 Thumb down 0

    [Reply]

  37. Gianpyc says:

    Thanks thanks thanks a lot! These steps are very useful and helped me a lot

    Thumb up 0 Thumb down 0

    [Reply]