Understanding java keytool, working with .crt files, fixing certificate problemsBy neokrates, written on June 8, 2010
Java keytool can be used for https connections, to allow access only to authorized clients. Any tool or java code can use an installed certificate to connect to the server.
How Java keytool works
Maybe you want to make your server publicly accessible, but restricted to particular team or organization.
Or you build an infrastructure of your enterprise and want it to be secure. In such situation you will need a method to control, who can use particular service.
Such resource should be protected from unauthorized usage, channel between server and authorized client must be secure.
Java keytool allows to certify given java client for work with particular server over https. That is an established and easy to use java standard.
To be certified to use particular service, client should do the following:
get the certificate which server expects(.crt file). Probably admin can provide you with it;
add it to your keyring using:
check with the manual of the client tool you use for details of configuration, if there is any.
Adding certificate to the keystore
my.cert.location/my.cert.crt – certificate to be installed
“changeit” – default keystore path (if you didn’t set it, its java default)
default java keystore location – $JAVA_HOME/jre/lib/security/cacerts
Following will add the certificate to the default java keyring:
keytool -import -file my.cert.location/my.cert.crt -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1
Answer ‘yes’ when prompted.
Listing certificates in the keystore
This will list the certificates in the keystore:
keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts
Output is something like:
mycert1, May 10, 2010, trustedCertEntry,Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisigntsaca, Aug 13, 2008, trustedCertEntry,Certificate fingerprint (MD5): 7F:66:7A:71:D3:EB:69:78:20:9A:51:14:9D:83:DA:20 baltimorecodesigningca, May 10, 2002, trustedCertEntry,Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
Important part is the alias which certificate has. You can import and export certificates using alias.
In the keytore, unique identification or name of the certificate is called alias
To determine if the certificate with alias mykey1is there, use:
keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts |grep mykey1 -A1
It will list all what keyring has about the certificate.
Following problem might occur if server doesn’t find the certificate it expects:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Given one client which works and one which cannot connect to the server, you can do the following to fix the problem:
Compare MD5 Sums of same certificate from both servers
Check that the same certificates are installed (nothing missing)
Import missing certificates from the working server
Print the certificate content to learn more about it
Exporting the certificate from the keystore
keytool -exportcert -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 > my.cert.location/my.cert.1.crt
The my.cert.1.crt can be then re-imported into another keyring.
Learning more about the certificate
REMARK: we use the same certificate we have exported in the chapter above.
To learn about the owner, organization, etc. who has issued the certificate, following command can be used
keytool -printcert -file mycert.crt
Removing the certificate from the keystore
keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1
Non-interactive mode (suppress keytool questions)
That is useful in bash scripts. Use the -noprompt option:
keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 -noprompt
That’s it, have fun
LEARN MORE (amazon bookstore)
INCOMING SEARCH TERMS