How to create a certificate chain using keytool?
I want to create certificate chain in java as follows:
ca.mycompany.com
|--asia.mycompany.com
|--india.mycompany.com
where ca.mycompany.com is a root certificate (self signed).
I know this is possible with OpenSSL. But is it possible to to achieve this with keytool?
If not, can I achieve this with Mozilla NSS library?
Answer
There is an example in the keytool documentation that shows how to do this:
keytool -genkeypair -keystore root.jks -alias root -ext bc:c
keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c
keytool -genkeypair -keystore server.jks -alias server
keytool -keystore root.jks -alias root -exportcert -rfc > root.pem
keytool -storepass <storepass> -keystore ca.jks -certreq -alias ca | keytool -storepass <storepass> -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem
cat root.pem ca.pem > cachain.pem
keytool -keystore ca.jks -importcert -alias ca -file cachain.pem
keytool -storepass <storepass> -keystore server.jks -certreq -alias server | keytool -storepass <storepass> -keystore ca.jks -gencert -alias ca -ext ku:c=dig,keyEncipherment -rfc > server.pem
cat root.pem ca.pem server.pem > serverchain.pem
keytool -keystore server.jks -importcert -alias server -file serverchain.pem
You can also generate certificate chains pretty easily with KeyStore Explorer:
- Create a new key pair, which implies creating a self-signed certificate (the root CA).
- Right click on root CA certificate and select "Sign New Key Pair", this creates the sub CA certificate and key pair.
- Right click on sub CA certificate and select "Sign New Key Pair" again.
The resulting chain:
