Java keytool/openssl useful commands

Here are some useful commands when manipulating Java keystores. (I will update this post from time to time)

(default keystore password: changeit)

Import a certficate into a Java keystore

keytool -import -keystore /jre/lib/security/cacerts -file mycertificate.der

Create a truststore from a PEM file

keytool -import -file CA-Certificates.pem -alias firstCA -keystore truststore.pkcs12

Create a truststore from a CER file

keytool -keystore truststore.jks -import -file my-cert.cer

Import a list of certificates into a Java keystore

#!/bin/bash

for file in /app/certs/* 
do
    if [[ -f $file ]]; then
        keytool -noprompt -storepass changeit -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file $file -alias $file
    fi
done

List the certificates of a keystore in a file report.txt

keytool -list -v -keystore /jre/lib/security/cacerts > report.txt

Get TLS certificate from an endpoint

openssl s_client -connect b-2.k01-tst-cluster.kaocgp.c2.kafka.ap-southeast-2.amazonaws.com:9094 > out.txt

# in out.txt: extract text starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it as a .cer file

Create a PKCS12 keystore with a Certificate+Private Key and a CA Root Certificate

openssl pkcs12 -export -in my-certificate.crt -inkey my-private-key.key -out keystore.pkcs12 -name camp.cogeco.com -CAfile ca-certificate.crt -caname root

Create a PKCS12 keystore with a Certificate+Private Key

cat private-key.key certificate-chain.crt > fullcertif.pem.txt
openssl pkcs12 -export -in fullcertif.pem.txt -out keystore.pkcs12 -name sub.your.domain.com -noiter -nomaciter
rm fullcertif.pem.txt