Java keytool can be used for https connections, to allow access only to authorized clients. Any tool or java code can use an installed certificate to connect to the server.

How Java keytool works

Maybe you want to make your server publicly accessible, but restricted to particular team or organization.
Or you build an infrastructure of your enterprise and want it to be secure. In such situation you will need a method to control, who can use particular service.
Such resource should be protected from unauthorized usage, channel between server and authorized client must be secure.

Java keytool allows to certify given java client for work with particular server over https. That is an established and easy to use java standard.

To be certified to use particular service, client should do the following:
get the certificate which server expects(.crt file). Probably admin can provide you with it;
add it to your keyring using:

keytool -import

 
check with the manual of the client tool you use for details of configuration, if there is any.

1

Adding certificate to the keystore

Given:
my.cert.location/my.cert.crt – certificate to be installed
“changeit” – default keystore path (if you didn’t set it, its java default)
default java keystore location – $JAVA_HOME/jre/lib/security/cacerts

Following will add the certificate to the default java keyring:

keytool -import -file my.cert.location/my.cert.crt -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1

Answer ‘yes’ when prompted.

2

Listing certificates in the keystore

This will list the certificates in the keystore:

keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts

 
Output is something like:

mycert1, May 10, 2010, trustedCertEntry,Certificate fingerprint (MD5):
CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisigntsaca, Aug 13, 2008, trustedCertEntry,Certificate fingerprint (MD5):
7F:66:7A:71:D3:EB:69:78:20:9A:51:14:9D:83:DA:20
baltimorecodesigningca, May 10, 2002, trustedCertEntry,Certificate fingerprint (MD5):
90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22

 
Important part is the alias which certificate has. You can import and export certificates using alias.

In the keytore, unique identification or name of the certificate is called alias

To determine if the certificate with alias mykey1is there, use:

  keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts |grep mykey1 -A1

 
It will list all what keyring has about the certificate.

Following problem might occur if server doesn’t find the certificate it expects:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 
Given one client which works and one which cannot connect to the server, you can do the following to fix the problem:
Compare MD5 Sums of same certificate from both servers
Check that the same certificates are installed (nothing missing)
Import missing certificates from the working server
Print the certificate content to learn more about it

3

Exporting the certificate from the keystore

keytool -exportcert -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 > my.cert.location/my.cert.1.crt

The my.cert.1.crt can be then re-imported into another keyring.

4

Learning more about the certificate

 
REMARK: we use the same certificate we have exported in the chapter above.

To learn about the owner, organization, etc. who has issued the certificate, following command can be used

keytool -printcert -file mycert.crt

5

Removing the certificate from the keystore

keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1

6

Non-interactive mode (suppress keytool questions)

That is useful in bash scripts. Use the -noprompt option:

keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 -noprompt

That’s it, have fun