Java keytool/openssl useful commands
Here are some useful commands when manipulating Java keystores. (I will update this post from time to time)
(default keystore password: changeit
)
Import a certficate into a Java keystore
keytool -import -keystore /jre/lib/security/cacerts -file mycertificate.der
Create a truststore from a PEM file
keytool -import -file CA-Certificates.pem -alias firstCA -keystore truststore.pkcs12
Create a truststore from a CER file
keytool -keystore truststore.jks -import -file my-cert.cer
Import a list of certificates into a Java keystore
#!/bin/bash
for file in /app/certs/*
do
if [[ -f $file ]]; then
keytool -noprompt -storepass changeit -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file $file -alias $file
fi
done
List the certificates of a keystore in a file report.txt
keytool -list -v -keystore /jre/lib/security/cacerts > report.txt
Get TLS certificate from an endpoint
openssl s_client -connect b-2.k01-tst-cluster.kaocgp.c2.kafka.ap-southeast-2.amazonaws.com:9094 > out.txt
# in out.txt: extract text starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it as a .cer file
Create a PKCS12 keystore with a Certificate+Private Key and a CA Root Certificate
openssl pkcs12 -export -in my-certificate.crt -inkey my-private-key.key -out keystore.pkcs12 -name camp.cogeco.com -CAfile ca-certificate.crt -caname root
Create a PKCS12 keystore with a Certificate+Private Key
cat private-key.key certificate-chain.crt > fullcertif.pem.txt
openssl pkcs12 -export -in fullcertif.pem.txt -out keystore.pkcs12 -name sub.your.domain.com -noiter -nomaciter
rm fullcertif.pem.txt