C Java KeyStore Preparation

The following example demonstrates how to use keytool to prepare keystore and truststore with external certificate. If you want to import an existing private/public key pair generated by an external tool instead, see Import Key Pair to Java Keystore.

1. Generate a keypair and store it in store.keys

   keytool -genkeypair -keystore store.keys \
   -alias shared -keyAlg RSA -keysize 2048 \
   -validity 365  -dname \
   "CN=my-nosql-cluster.example.com, \
   OU=My Company, O=IT, L=San Francisco, ST=CA, C=US" \
   -storepass <passwd> -keypass <passwd> 
   
   Enter key password for <shared>
   (RETURN if same as keystore password): 

   Note:

   Store.keys is the default name of Oracle NoSQL Database keystore and shared is the default alias of the Oracle NoSQL Database certificate You can customize the name by specifying a security parameter in the makebootconfig command or the securityconfig utility. Additionally, you can specify the algorithm, size and validity of key.

   To export the keypair, use the keytool -export command:

   keytool -export \
   -file <temp file> \
   -keystore store.keys \
   -storepass <passwd> \
   -alias shared 

2. Generate a certificate request and send to CA.

   keytool -certreq -keystore store.keys -alias \
   shared -file myhost.csr
   Enter keystore password: 

3. A public trusted CA usually signs the certificate after receiving your csr file. A pem file is generated (myhost.cert.pem).

4. Import certificates that are part of a certificate chain in order. If there are multiple intermediate certificates, they also need to be imported in order.

   keytool -import -file ca.cert.pem \
   -keystore store.keys -alias root
   
   keytool -import -file intermediate.cert.pem -keystore store.keys \
   -alias intermediate
   # After importing the root and intermediate certificates,
   # install the signed certificate for this server. The alias name
   # must be specified.
   keytool -import -file myhost.cert.pem -keystore store.keys \
   -alias shared
   
   Certificate reply was installed in keystore 

5. Verify the installation by checking the certificate content in store.keys:

   keytool -list -v -keystore store.keys -alias shared
   Certificate chain length: 3
   Certificate[1]:
   Owner: CN=myhost, OU=TeamA, O=MyCompany, L=Unknown, 
   ST=California, C=US
   Issuer: CN=intermediate CA, OU=CA, O=MyCompany, 
   ST=California, C=US 

   The certificate chain length should match the number of certificates in the chain that were imported, in this case, three.

6. Build server truststore (store.trust). The server truststore must contain the signed certificate as well as the root and intermediate certificate. Note that the server and client truststores need to use the same password as that of the keystore.

   keytool -export -file store.tmp -keystore store.keys -alias shared
   
   keytool -import -keystore store.trust -file store.tmp
   
   keytool -import -keystore store.trust -file ca.cert.pem -alias root
   
   keytool -import -keystore store.trust -file intermediate.cert.pem -alias intermediate 

7. Create client truststore (client.trust). In this case, import the root and intermediate certificates into the client truststore.

   The client.trust file is a truststore used by the client applications to validate the server's certificate. You can create it either in a password-less PKCS12 format or password protected format, depending on your setup. By default, when using the NoSQL securityconfig utility, the truststore is created in PKCS12 format without a password. Note the default behavior for standard Java truststore requires a password.

   1. Password-less PKCS12 Truststore

      Starting with Oracle NoSQL Database release 22.1, the securityconfig utility creates a password-less client.trust, if the Java version supports it.

      The supported Java versions are:

      • JDK 8u301 or higher for Java 8
      • JDK 11.0.12 or higher for Java 11
      • Any JDK 17 or higher

      mkdir tmp_root
      
      java -jar $KVHOME/lib/kvstore.jar securityconfig config create -root tmp_root -kspwd <store-password>

      This generates tmp_root/security/client.trust without a password.

      Import your CA root and intermidiate certificates:

      keytool -importcert -keystore client.trust -storetype PKCS12 -file ca.cert.pem -alias root -noprompt
      
      keytool -importcert -keystore client.trust -storetype PKCS12 -file intermediate.cert.pem -alias intermediate -noprompt

      Remove the unused default alias:

      keytool -delete -keystore tmp_root/security/client.trust -alias mykey

      Note:

      You may receive an error if you attempt to create a password-less PKCS12 truststore with an unsupported Java version. In this case, either use a password-protected truststore or create a JKS truststore, as below, instead:

      keytool -importcert -keystore client.trust -storetype JKS -storepass <password> -file ca.cert.pem -alias root -noprompt
      
      keytool -importcert -keystore client.trust -storetype JKS -storepass <password> -file intermediate.cert.pem -alias intermediate -noprompt

   2. Create password-protected truststore

      keytool -importcert -keystore client.trust -storetype PKCS12 -storepass <password> -file ca.cert.pem -alias root -noprompt
      
      keytool -importcert -keystore client.trust -storetype PKCS12 -storepass <password> -file intermediate.cert.pem -alias intermediate -noprompt

      The client application should set the following the login properties according to the Default Security Configuration.

      oracle.kv.ssl.trustStorePassword=<password>
      
      oracle.kv.ssl.trustStorePasswordAlias=<aliasName>

      For more information, see Guidelines for using PKCS12 Java KeyStore.