home > Install > Message Security > Using Keytool

Managing a Java keystore

The keytool command is part of the  Java 2 JDK release. Complete documentation can be found at sun-keytool.html. The keytool command will do most of what you need: listing contents, setting aliases, adding new trust certificates. The one thing it does not do is to import a trusted entry, e.g. cert and key. There is a class that comes with the jetty release that we have used. There may be tools in the Sun suite as well.

Finding an CA certificate

Ask whoever is running the service that you want to connect to, to send you the CA certificate that signed its web site certificate. Then enter that in your ssl-keystore.

Get the site certificate

Another approach is to get the site certificate and use that instead. Connect to the service with your browser using https and then export the certificate from your browser.

In IE the following is reputed to work.

View certificate -> certificate details -> copy to file

For Firefox you need the following extension.

https://addons.mozilla.org/en-US/firefox/addon/1964

Once this is installed there will be a "certificate Manager" entry in the tools menu.

tools -> websites -> select certificate -> view -> export

Input a site or CA certifcate as a trustedCertEntry


You need to have the x.509 certificate of the CA in pem format (tagged ascii base-64 encoded). To convert from a DER format (binary) use openssl:
openssl x509 -in 'CAcert.der' -inform DER -outform PEM -out 'CAcert.pem'
To import into a keystore:
keytool -import -keystore 'sec-client.jks' -file 'CAcert.pem' -trustcacerts -alias 'CA'

Input a pkcs12 file to a key store

Used when you have a user certificate that was generated outside of the keystore and you
wish to import as a keyEntry.
#NOTE:
# Need both the cert and private key in the keystore so...
# need to be in pem format so if it is in DER format convert to pem first

#use openssl to make ONE pkcs12 file (combine both cert & private key)
openssl pkcs12 -inkey 'jason.key.pem' -in 'jason.cert.pem' -export -out 'jason.pkcs12'

# use jetty to load it (from http://jetty.mortbay.org/)
# with jetty-6.0.2 the command is
java -cp org.mortbay.jetty-6.0.2.jar org.mortbay.jetty.security.PKCS12Import 'jason.pkcs12' 'sec-client.jks'

Now to rename the alias use:

keytool -keyclone -alias 1 -dest 'jason' -keystore 'sec-client.jks'
keytool -delete -alias 1 -keystore 'sec-client.jks'

Then to import the DOEGrids CA cert:

keytool -import -keystore 'sec-client.jks' -file 'doeGridsCA.pem' -trustcacerts -alias 'DOEGridsCA'
keytool -import -keystore 'sec-client.jks' -file 'esnetRoot.pem' -trustcacerts -alias 'esnetRoot'