Tomcat – Using key tool to make a CSR, how to make a cert for tomcat ssl

certificateexceptionkeytoolssltomcat

My objective is to use keytool to create a certificate signing request (CSR), then take that CSR and make an actual cert to add to the keystore, add it, such that SSL (HTTPS//my.site.com) will work. This is for testing purposes.

So far I have done the following steps:

Generate a keystore for my CSR:

keytool -genkey -dname "CN=test.com, OU=TEST, O=Test, L=TestCity, ST=Florida, C=US" -alias tomcat -keyalg RSA -keysize 2048 -keystore test.keystore -storepass changeit
Generate the CSR:

keytool -certreq -alias tomcat -file request.csr -keystore test.keystore -storepass changeit
Generate a server key to use with openSSL to create a signed cert. This required a password "changeit" and then a conversion to remove the password for the server.key:

openssl genrsa -des3 -out server.key 2048

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key
Generate my signed cert using the CSR:

openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
Finally, import the cert into my keystore.

keytool -import -trustcacerts -file server.crt -keystore test.keystore -alias tomcat -storepass changeit

The result is the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Best Answer

I am not sure the following is right, but it seems to work. Cobbling some steps together from various web sites, executing these commands generate a keystore that works for SSL connections via tomcat. It does it pieces parts which will let me test each piece of my system.

Generate the keystore

keytool -genkey -dname "CN=test.com, OU=TEST, O=Test, L=TestCity, ST=Florida, C=US" -alias tomcat -keyalg RSA -keysize 2048 -keystore test.keystore -storepass changeit

Generate the CSR

keytool -certreq -alias tomcat -file request.csr -keystore test.keystore -storepass changeit

Export the private key from my keystore for use in creating a signed cert

keytool -v -importkeystore -srckeystore test.keystore -srcalias tomcat -destkeystore myp12file.p12 -deststoretype PKCS12

openssl pkcs12 -in myp12file.p12 -out server.key

Create the signed cert from the CSR

openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt

Finally import it to the keystore, with success

keytool -import -trustcacerts -file server.crt -keystore test.keystore -alias tomcat -storepass changeit

Related Solutions

How to generate a self-signed SSL certificate using OpenSSL

You can do that in one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.

The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).

Generate key and certificate using keytool

In your first command, you have used the -genkey option to generate the keystore named keystore.jks.

To export the certificate in .CER format file, you will need to use the -export option of the keytool.

An example is:

keytool -v -export -file mytrustCA.cer -keystore keystore.jks -alias mytrustCA

This will generate a file named mytrustCA.cer

To generate a certificate request to send to a CA for obtaining a signed certificate, you will need to use the -certreq option of keytool.

An example is:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA

This will ask for the keystore password and on successful authentication, it will show the certificate request as given below (a sample).

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ8wDQYDVQQH
EwZNdW1iYWkxEjAQBgNVBAoTCU1pbmRzdG9ybTEUMBIGA1UECxMLRW5naW5lZXJpbmcxFDASBgNV
BAMTC1JvbWluIElyYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqOLEumwLHlzIUAPD6
Ab1pVp84mhSNCCcUKInZbSdiDYnKSr46EjEw0PtZOVPJbM4ZG3bZsOboYr0YfViJi41o4yJICFAZ
8wCQQxPK/4N8MPV7C5WDH28kRKGH/Pc2e7CxV+as573I34QmkINk7fEyERMDwP/WgmrcKZgL0sfy
ewIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAlcpjOUZFP9ixskXSA7HNlioWwjbL9f9rQskJ9rK8
kGLJ1td+mqqm20yo/JrKCzZjOMqr/aL6Zw2dkoyU34T9HnR2Bs3SgKn6wlYsYEVvVBk71Ec6PeTi
e+fhfNQEHsj4wuB4qixO3s1jtsLDy+DpTzYguszczwxXGFVNuk+y2VY=
-----END NEW CERTIFICATE REQUEST-----

You will need to send this Certificate REquest or paste it into the Digital Certificate signer webpage. Alternately, you can even redirect this output to a file instead of the console as follows:

keytool -v -certreq -keystore keystore.jks -alias mytrustCA > mycertreq.txt

Best Answer

Related Solutions

How to generate a self-signed SSL certificate using OpenSSL

Generate key and certificate using keytool

Related Topic