Perform the following operations from the command line.
keytool –keystore clientkeystore –genkey –alias client Enter keystore password: javacaps What is your first and last name? [Unknown]: development.sun.com What is the name of your organizational unit? [Unknown]: Development What is the name of your organization? [Unknown]: Sun What is the name of your City or Locality? [Unknown]: Monrovia What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password): |
Generate the Certificate Signing Request.
keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr |
Generate a signed certificate for the associated Certificate Signing Request.
openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial |
Use the keytool to import the CA certificate into the client keystore.
keytool -import -keystore clientkeystore -file ca-certificate.pem.txt -alias theCARoot Enter keystore password: javacaps Owner: EmailAddress=development@sun.com, CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EmailAddress=development@sun.com, CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 0 Valid from: Tue May 08 15:09:07 PDT 2007 until: Wed May 08 15:09:07 PDT 2008 Certificate fingerprints: MD5: 60:73:83:A0:7C:33:28:C3:D3:A4:35:A2:1E:34:87:F0 SHA1: C6:D0:C7:93:8E:A4:08:F8:38:BB:D4:11:03:C9:E6:CB:9C:D0:72:D0 Trust this certificate? [no]: yes Certificate was added to keystore |
Use the keytool to import the signed certificate for the associated client alias in the keystore.
keytool –import –keystore clientkeystore –file client.cer –alias client Enter keystore password: javacaps Certificate reply was installed in keystore |
The following error will be generated if there is no certificate chain in the client certificate.
keytool -import -keystore clientkeystore -file client.cer -alias client Enter keystore password: javacaps keytool error: java.lang.Exception: Failed to establish chain from reply |
This error is because the CA’s certificate was not imported into the KeyStore first. You must import the CA's certificate (step 4), then import the client.cer file itself to form a certificate chain (step 5).
Now that we have a private key and an associating certificate chain in the KeyStore clientkeystore, we can use it as a KeyStore for client (adapter) authentication. The only warning is that the CA certificate must be imported into the trusted certificate store of the web server to which you will be connecting. Moreover, the web server must be configured for client authentication (httpd.conf for Apache, for example).