When you need to use a client Certificate Authentication from Java the issues starts even from the beginning with the certificate, since usually it is not in the way you want it.
I recently had to use a PFX certificate for client authentication (maybe another post will be coming) and for that reason I had to convert it to a Java keystore (JKS).
We will create BOTH a truststore and a keystore, because based on your needs you might need one or the other.
The difference between truststore and keystore if you are not aware is(quote from the JSSE ref guide:
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
First let’s generate a key from the pfx file, this key is later used for p12 keystore.
openssl pkcs12 -in example.pfx -nocerts -out example.key Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying — Enter PEM pass phrase:
As shown here you will be asked for the password of the pfx file, later you will be asked to enter a PEM passphase lets for example use 123456 for everything here.
The second commands is almost the same but it is about nokey and a crt this time
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt Enter Import Password: MAC verified OK Now we have a key and and a crt file
Next step is to create a truststore.
keytool -import -file example.crt -alias exampleCA -keystore truststore.jks Enter keystore password: Re-enter new password: Owner: CN=….. ……. Trust this certificate? [no]: yes Certificate was added to keystore
As you can see here you just import this crt file into a jks truststore and set some password. For the question do you trust this certificate you say yes, so it is added in the truststore.
The last step(s) is to create a keystore
openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name “examplecert” -out keystore.p12 Enter pass phrase for example.key: Enter Export Password: Verifying — Enter Export Password:
This p12 keystore is enough in many cases, still if you need a JKS keystore you need one additional command
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS Importing keystore keystore.p12 to keystore.jks… Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias examplecert successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12”.
Lets verify what we have at the end !
ls example.pfx example.key keystore.p12 example.crt keystore.jks truststore.jks
That is all folks ! I hope this helps someone :)
There will be a second post how to use this keystore for client side authentication from Java.
Also how to use the truststore if you need to use it.