C Java KeyStore Preparation

The following example demonstrates how to use keytool to prepare keystore and truststore with external certificate. If you want to import an existing private/public key pair generated by an external tool instead, see Import Key Pair to Java Keystore.

1. Generate a keypair and store it into store.keys

   keytool -genkeypair -keystore store.keys \
   -alias shared -keyAlg RSA -keysize 1024 \
   -validity 365  -dname \
   "CN=my-nosql-cluster.example.com, \
   OU=My Company, O=IT, L=San Francisco, ST=CA, C=US" \
   -storepass <passwd> -keypass <passwd> 
   
   Enter key password for <shared>
   (RETURN if same as keystore password): 

   Note:

   Store.keys is the default name of Oracle NoSQL Database keystore and shared is the default alias of the Oracle NoSQL Database certificate You can customize the name by specifying a security parameter in the makebootconfig command or the securityconfig utility. Additionally, you can specify the algorithm, size and validity of key.

   To export the keypair, use the keytool -export command:

   keytool -export \
   -file <temp file> \
   -keystore store.keys \
   -storepass <passwd> \
   -alias shared 

2. Generate a certificate request and send to CA.

   keytool -certreq -keystore store.keys -alias
   shared -file myhost.csr
   Enter keystore password: 

3. A public trusted CA usually signs the certificate after receiving your csr file. A pem file is generated (myhost.cert.pem).

4. Import certificates that are part of a certificate chain in order. If there are multiple intermediate certificates, they also need to be imported in order.

   keytool -import -file ca.cert.pem
   -keystore store.keys -alias root
   keytool -import -file intermediate.cert.pem -keystore store.keys
   -alias intermediate
   # After importing the root and intermediate certificates,
   # install the signed certificate for this server. The alias name
   # must be specified.
   keytool -import -file myhost.cert.pem -keystore store.keys
   -alias shared
   Certificate reply was installed in keystore 

5. Verify the installation by checking the certificate content in store.keys:

   keytool -list -v -keystore store.keys -alias shared
   Certificate chain length: 3
   Certificate[1]:
   Owner: CN=myhost, OU=TeamA, O=MyCompany, L=Unknown, 
   ST=California, C=US
   Issuer: CN=intermediate CA, OU=CA, O=MyCompany, 
   ST=California, C=US 

   The certificate chain length should match the number of certificates in the chain that were imported, in this case, three.

6. Build server truststore (store.trust). The server truststore must contain the signed certificate as well as the root and intermediate certificate. Note that the server and client truststores need to use the same password as that of the keystore.

   keytool -export -file store.tmp
   -keystore store.keys -alias shared
   keytool -import -keystore store.trust -file store.tmp
   keytool -import -keystore store.trust -file ca.cert.pem
   -alias root
   keytool -import -keystore store.trust -file intermediate.cert.pem
   -alias intermediate 

7. Create client truststore (client.trust). In this case, import the root and intermediate certificates into the client truststore.

   keytool -import -keystore client.trust
   -file ca.cert.pem -alias root
   keytool -import -keystore client.trust -file intermediate.cert.pem
   -alias intermediate