Need SANS? Creating a JKS keystore with openssl and keytool.

I needed to buy a single SSL cert from Verisign that works for two hostnames and can be installed on nine servers.  Wow.

To do that, you buy a SAN (Subject Alternative Name) SSL Cert.  I’m installing this cert on nine Windows 2008 R2 based Oracle Weblogic 10.3 managed servers (web servers).  They’ll be behind load balancers that hold the IP to which the two hostnames resolve.  Weblogic 10.3 managed servers easily let you point them at a java keystore to get the SSL cert so they can serve HTTPS.  Nice.  So, I need a keystore with this SAN Cert in it.  Keystores also hold the private key that identifies the server. Hmmm…

Oracle recommends using either Sun’s Cert Util – part of the Weblogic installation or the java keytool program to create your private key and generate a certificate signing request (CSR), which is what you send to Verisign (or whomever) to get your SSL cert.  However, neither of those can put the subjectAltName extensions into the CSR, and openssl can.  I figured there must be some way to get the stuff openssl can create into a java keystore, so I set out across the GoogleScape and found this guy Nick, explaining how to do it!  There’s this cunning guy with the useful tibbit about using -alias 1.  Gotta have that.

Well, almost.  They showed me how to use keytool to turn a pkcs12 file into a java keystore.  They’d left one hole in the road.  How do I make that pkcs12 file? Well, I learned that a pkcs12 file is just a file holding both the private key and the corresponding, signed public key.  In PEM format.  Openssl outputs in PEM be default, so my private key was already in the right format.  And my self-signed cert is in PEM too – I used openssl to make it for my experiment.  I don’t think the cert from Verisign is going to be in PEM, but I know I can convert it – I’ve done that before.

So I used openssl to create my public and private key pair in PEM and then used it generate a certificate signing request (CSR) that includes the subjectAltName x509 v3 extensions.  Here’s a blow by blow, actually tested receipe for doing it, using openssl 1.0.1 and the keytool program in JRE 1.6.26.

In this demo, I’m naming the files “self.*” just to keep them short and to indicate we’re working with a self-signed cert. In real life, you’d name your files something meaningful to your use. Like, I might use “oiam-external-ssl.*”

Start by making a brand new private key. Put the keylength you want as the number of bits at the end of the command line. I use 2048 – a good balance between strength and speed of operations. I don’t put a passphrase on this key

openssl genrsa -out self.key 2048

From here down, I break commands into lines to make them easier to read and understand. You could paste these as they are because I’ve put Bash line continuation charaters at the end of  each line. However, you may want to join them up again. If you do, keep the pieces in order because some of that order is important. Mostly the first two or three lines.

Make the CSR. Your subjectAltNames are in the openssl.cnf named in the -config option.

openssl req -new \
 -config openssl.cnf \
 -key self.key \
 -out self.scr

If you buy a cert, you skip this step

In the test, sign the CSR (public key) with your own private key. Because we’re using the same key to sign that we used to make the CSR, we’re producing a “self-signed” certificate.

openssl x509 -req \
 -days 1450 \
 -in self.csr \
 -signkey self.key \
 -out self.crt

To make the next step a bit easy, cat the private key and and signed public key files together into one. They’re BASE64 encoded blocks, commonly called PEM encoded, so them won’t get mixed up.

cat self.* > self.pem

Create the PKCS12 file and we’ll use java keytool on that to make our keystore.

Notes:

  • use the -name option to make the “alias” that marks the item in the keystore. You’ll look for this name/alias in many place in the future – choose a meaningful name/alias here.
  • Export Password: don’t leave it blank. Keytool requires that the importkeystore have a password, so set one. I use “changeit” but delete this PKCS12 file as soon as I know I have a working keystore.
openssl pkcs12 -export \
 -in self.pem \
 -out self.p12 \
 -name self-test

Create the keystore! Set a real, safe, strong password when you are asked for one. This keystore will be around a long time and you don’t want it compromised easily, right?

keytool -importkeystore \
 -srckeystore self.p12 -srcstoretype pkcs12 \
 -destkeystore self.jks -deststoretype jks

And that’s it. You can verify you’ve got a functioning keystore with this command. You’ll need the password you just set. I’ll put the output I see in the demo just below so you know what to expect from both commands:

COMMAND:
keytool -list -keystore self.jks

OUTPUT:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
self-test, Jun 1, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): AE:B5:3B:F5:DD:42:6F:38:C2:BA:EF:57:B2:26:12:AB

# And here’s the verbose command and output. See the -v after the -list option?

COMMAND:
keytool -list -v -keystore self.jks

OUTPUT:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: self-test
Creation date: Jun 1, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=oif.ansys.com, OU=Information Technology, O=ANSYS Inc., L=Canonsburg, ST=Pennsylvania, C=US
Issuer: CN=oif.ansys.com, OU=Information Technology, O=ANSYS Inc., L=Canonsburg, ST=Pennsylvania, C=US
Serial number: 84xcfasdfxcvxca8
Valid from: Fri Jun 01 16:05:49 EDT 2012 until: Tue May 31 16:05:49 EDT 2016
Certificate fingerprints:
 MD5: AE:B5:3B:F5:DD:42:6F:38:C2:BA:EF:57:B2:26:12:AB
 SHA1: 84:5B:7F:A0:A0:88:DC:EE:E7:BB:9C:90:6D:04:B1:53:65:A2:11:BD
 Signature algorithm name: SHA1withRSA
 Version: 1
*******************************************
*******************************************

Leave a Reply

You must be logged in to post a comment.