How to create a certificate chain using keytool?
I want to create certificate chain in java as follows:
ca.mycompany.com
|--asia.mycompany.com
|--india.mycompany.com
where ca.mycompany.com is a root certificate (self signed).
I know this is possible with OpenSSL. But is it possible to to achieve this with keytool?
If not, can I achieve this with Mozilla NSS library?
Solution
There is an example in the keytool documentation that shows how to do this:
keytool -genkeypair -keystore root.jks -alias root -ext bc:c
keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c
keytool -genkeypair -keystore server.jks -alias server
keytool -keystore root.jks -alias root -exportcert -rfc > root.pem
keytool -storepass <storepass> -keystore ca.jks -certreq -alias ca | keytool -storepass <storepass> -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem
cat root.pem ca.pem > cachain.pem
keytool -keystore ca.jks -importcert -alias ca -file cachain.pem
keytool -storepass <storepass> -keystore server.jks -certreq -alias server | keytool -storepass <storepass> -keystore ca.jks -gencert -alias ca -ext ku:c=dig,keyEncipherment -rfc > server.pem
cat root.pem ca.pem server.pem > serverchain.pem
keytool -keystore server.jks -importcert -alias server -file serverchain.pem
You can also generate certificate chains pretty easily with KeyStore Explorer:
- Create a new key pair, which implies creating a self-signed certificate (the root CA).
- Right click on root CA certificate and select "Sign New Key Pair", this creates the sub CA certificate and key pair.
- Right click on sub CA certificate and select "Sign New Key Pair" again.
The resulting chain:
- How to simulate non-SNI browsers (without SNI support)?
- How to access phpmyadmin on DDEV Windows 10 pro localhost with SSL record too long error
- cURL with SSL certificates fails: error 58 unable to set private key file
- Specifying Arduino WiFiClientSecure Certificates
- maxscale cannot find gtid_binlog_pos
- FreeSWITCH TLS error in 'Client Hello' Request
- ASP.NET Core Development Certificates - error exporting the HTTPS developer certificate
- Get certificate's public key in the PKCS8 format
- Why is Firefox not trusting my self-signed certificate?
- Difference between pem, crt, key files
- Is it a good idea to distribute docker image containing my selfsigned certificate?
- PKIX path building failed: unable to find valid certification path to requested target on chaincode commit on Hyperledger Fabric production network
- OkHTTP (v3.0.0-RC1) Post Request with Parameters
- SSL handshake error (CERTIFICATE_VERIFY_FAILED) in grpc++
- Convert .pem to .crt and .key
- How can I decode a SSL certificate using python?
- How to Create Secure(TLS/SSL) Websocket Server
- The client and server cannot communicate, because they do not possess a common algorithm - ASP.NET C# VB Visual Basic IIS TLS 1.0 / 1.1 / 1.2
- javax.net.ssl.SSLException: Certificate for <> doesn't match any of the subject alternative names: []
- MSSQL with SSL: The target principal name is incorrect
- How can I add a Subject to my email to send via SMTP?
- SSL module in Python is not available (on OSX)
- Spring Boot 3.4 new feature : How to config SSLBundle works with RestClient?
- postgres r2dbc gives ssl error but connects using jpa
- Can Spring Boot's SSLBundle work with certificates without CA (just mutual authenticated, not CA)?
- kex_exchange_identification: Connection closed by remote host
- Is the Apple Push Notification service SSL (Sandbox & Production) certificate universal?
- Nginx reverse proxy to Heroku fails SSL handshake
- Is a Wild Card SSL Certificate recommended?
- Bouncy Castle Configuration for TLS