28

How to:

  1. Generate keystore
  2. Generate truststore

To make SSL work between client and server, I need help in only Generation of keystore and truststore for mutual authentication step-by-step guide with terminal commands(Keytool and openssl).

SOWMITHRA KUMAR G M
  • 1,079
  • 2
  • 10
  • 16
  • The specific configuration would depend on the software you are using on the server and client end. Without further information on your specific setup, we could provide generic advice at most. – AfroThundr Nov 24 '17 at 05:46
  • Thanks for the reply. I've changed the question. I've Fresh installed ubuntu 16 server machine. For making ssl connection between apps, First I need help to generate keystore, sign certificate, truststore and rest connection I'll do. – SOWMITHRA KUMAR G M Nov 27 '17 at 06:21
  • 1
    You may want to check out [this question](https://unix.stackexchange.com/questions/347116/) or maybe [this](https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html) or [this](https://www.cloudera.com/documentation/enterprise/5-4-x/topics/cm_sg_create_key_trust.html) page for info on creating a keystore and truststore using keytool and openssl. – AfroThundr Nov 27 '17 at 14:08

1 Answers1

47

I followed This link.

1.Generate keystore(At server):

keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048

2.Generate new ca-cert and ca-key:

openssl req -new -x509 -keyout ca-key -out ca-cert

3.Extracting cert/creating cert sign req(csr):

keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file

4.Sign the “cert-file” and cert-signed wil be the new cert:

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out 
       cert-signed -days 365 -CAcreateserial -passin pass:yourpass

5.importing the ca-cert to keystore file:

keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert

6.import cert-signed to keystore:

keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed

7.Copy ca-cert into client machine and generate truststore: (At client)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-s

8.Copy ca-cert into client machine and generate truststore: (At server)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c

**Repeat the step(1-6) at client side and generate truststore at server side by importing ca-cert of client(step 8)

Renamed ca-cert after step 6.

Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating truststore.

fmsf
  • 35,134
  • 48
  • 145
  • 193
SOWMITHRA KUMAR G M
  • 1,079
  • 2
  • 10
  • 16
  • 2
    what doesn the `-alias bmc` means? – Kannan Ramamoorthy Aug 07 '20 at 12:09
  • 2
    @KannanRamamoorthy -alias option defines an alias fro your keystore. More infp -> https://stackoverflow.com/questions/5724631/understanding-keystore-certificates-and-alias – alex_z Aug 10 '20 at 13:39
  • Note on `-CAcreateserial`. It creates a `*.srl` file to keep track of serial numbers (each signed certificate should have a different one). http://users.skynet.be/pascalbotte/art/server-cert.htm – Aleksander Stelmaczonek Oct 21 '20 at 15:36