Documentation Center

Creating an SSL keystore for your microservice

After exporting your private key and certificate, create a keystore using the keytool command line tool.

About this task

The keytool command line tool is included with Java. For more information about this tool, refer to http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html.

Procedure

  1. Run the following OpenSSL tool command to turn your private key and CA certificate into an export file:
    openssl pkcs12 -export -in CERTIFICATE.CER -inkey KEY.FILE -name CA CERTIFICATE -out CA_CERTIFICATE.P12
    where:
    • CERTIFICATE.CER is the filename of your CA certificate
    • KEY.FILE is the filename of your private key
    • CA CERTIFICATE is a human-readable description of the export file
    • CA_CERTIFICATE is the name of the export file, with extension .p12.
    The tool creates an export file, prompting you for a password while doing so. Note down this password.
  2. Run the following keytool command (on one line) to import your file into a keystore file:
    keytool -importkeystore -deststorepass DESTSTOREPASSWORD -destkeypass KEYPASSWORD -destkeystore FILENAME.JKS 
     -srckeystore CA_CERTIFICATE.P12 -srcstoretype PKCS12 -srcstorepass SRCSTOREPASSWORD -srcalias ALIAS
    where:
    • DESTSTOREPASSWORD is a password you want to set for this keystore.
    • KEYPASSWORD is a password you want to set for this key.
    • FILENAME.JKS is the file name for the keystore you are generating (extension .jks).
    • CA_CERTIFICATE.P12 is your export file from the previous step, with extension .p12.
    • SRCSTOREPASSWORD is a password you set when generating the .p12 file.
    • ALIAS is the alias you want to set for this keystore. (Because the value of the destalias switch defaults to the value of srcalias, destalias does not need to be specified.)