SYONE - Open Source Lisbon Blog

How to build a Java Keystore alias with a complete certificate chain

Written by Maximiano Tomé | 14/05/20 17:01

As a Systems Administrator, updating Java Keystores is something that I am in charge of from time to time and honestly... it always gives me a headache!!

To get over with this problem, I wrote this cheat sheet, so I never have to worry about it again! And now I’m sharing it with you 😁

This article is a guide that will help you build a Java Keystore alias with a complete certificate chain, aggregating it to your main domain certificate, rather than importing several aliases with the intermediary certificate and root. This is very useful when you have external entities or commands that certify or generate our entire certificate chain.

But first... a quick intro: 

With the rising security threats, software environments continually increase their security measures, which means developers more often than not have to deal with digital certificates and keys. For Java-based applications, yours keys and certificates are stored in your Java Keystore, which are often used for encryption, authentication, and serving over HTTPS, thus it’s very important to know how to build and manage it.

 “A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.”Wikipedia

When it comes to managing Java Keystores, Keytool is the utility you are most likely to find. This command is usefulto manipulate Java Keystores, and it is included with Java.

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates.SSL Shopper

So now, let us go to the guide on how to build a Java Keystore with an alias with the complete certificate chain! Quick hint: the "trick" is in the first step!

Step by Step on how to build a Java Keystore alias with a complete certificate chain

 

1) First, you need to concatenate all the certificates (your domain's certificate, the intermediate certificate and the root certificate). The order is important.

  echo my_certificate.pem intermediate.pem root.pem > import.pem

 

2) Then you need to convert the key/certificate (chain) pair to pkcs12 format, because certificates in the pem format cannot directly import to a Java Keystore.

  openssl pkcs12 -export -in import.pem -inkey my_key.pem -out
my_key_crt_bundle.p12

 

3) And finally, you will have to create the final Java Keystore based on the pkcs12 file created in the previous step.

  keytool -importkeystore -deststorepass my_password -destkeystore my_keystore.jks 
-srckeystore my_key_crt_bundle.p12 -srcstoretype PKCS12

 

By listing the content of this Java Keystore, with the following command, you will confirm that there is only one alias with 3 certificates (the certificate chain), instead of 3 alias (each with its own certificate).

  keytool -list -v -keystore my_keystore.jks

 

This way, when the client application opens a session to your server, it receives the complete certification chain, allowing your domain certificate to be accepted.

And basically, that’s it!

I really hope this guide can help you avoid the trouble of creating a Java Keystore with a single alias containing the full chain. Nevertheless, if you have some doubts or suggestions, do not hesitate to write down your questions in the comments below and I will be very happy to answer them!