For SSL operation, the server always needs a key pair. If the server runs in peer authentication mode (the server authenticates the clients), then each client needs its own key pair. In general, if one end of the communication wants to authenticate its partner, then the first end needs to install a certificate generated by the partner.
The key pair is located in a file which is called a key store and the JDK's SSL provider needs the system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword to access the key store.
The certificates of trusted parties are installed in a file called a trust store. The JDK's SSL provider needs the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to access the trust store.
keytool -genkey <alias> -keystore <keystore>ketool will prompt for needed information like identity details and passwords.
Consult the JDK documentation for more information on keytool.
keytool -export -alias <alias> -keystore <keystore> \
-rfc -file <certificate file>
The certificate file may then be distributed to the relevant parties.
keytool -import -alias <alias> -file <certificate file> \
-keystore <trust store>
keytool -genkey -alias myDerbyServer -keystore serverKeyStore.keyGenerate a server certificate:
keytool -export -alias myDerbyServer -keystore serverKeyStore.key \
-rfc -file myServer.cert
Generate a client key pair:
keytool -genkey -alias aDerbyClient -keystore clientKeyStore.keyGenerate a client certficate:
keytool -export -alias aDerbyClient -keystore clientKeyStore.key \
-rfc -file aClient.cert
Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert
-keystore serverTrustStore.key
Install the server certificate in a client's trust store:
keytool -import -alias myDerbyServer -file myServer.cert
-keystore clientTrustStore.key