Key and certificate handling

For SSL operation, the server always needs a key pair. If the server runs in peer authentication mode (the server authenticates the clients), each client needs its own key pair. In general, if one end of the communication wants to authenticate its partner, the first end needs to install a certificate generated by the partner.

The key pair is located in a file which is called a key store, and the JDK's SSL provider needs the system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword to access the keystore.

The certificates of trusted parties are installed in a file called a trust store. The JDK's SSL provider needs the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to access the trust store.

Key pair generation

Key pairs are generated with keytool -genkey. The simplest way to generate a key pair is to do the following:

keytool -genkey alias -keystore keystore

keytool will prompt for needed information, such as identity details and passwords.

Consult the JDK documentation for more information on keytool.

Certificate generation

Certificates are generated with keytool -export as follows:

keytool -export -alias alias -keystore keystore \
        -rfc -file certificate-file

The certificate file may then be distributed to the relevant parties.

Certificate installation

Installation of a certificate in a trust store is done with keytool -import as follows:

keytool -import -alias alias -file certificate-file \
        -keystore truststore

Examples

Generate the server key pair:

>keytool -genkey -alias myDerbyServer -keystore serverKeyStore.key

Generate a server certificate:

keytool -export -alias myDerbyServer -keystore serverKeyStore.key \
        -rfc -file myServer.cert

Generate a client key pair:

keytool -genkey -alias aDerbyClient -keystore clientKeyStore.key

Generate a client certficate:

keytool -export -alias aDerbyClient -keystore clientKeyStore.key \
        -rfc -file aClient.cert

Install a client certificate in the server's trust store:

keytool -import -alias aDerbyClient -file aClient.cert 
        -keystore serverTrustStore.key

Install the server certificate in a client's trust store:

keytool -import -alias myDerbyServer -file myServer.cert 
        -keystore clientTrustStore.key
Parent topic: Network encryption and authentication with SSL/TLS
Related concepts
Starting the server with SSL/TLS
Running the client with SSL/TLS
Other server commands