Technical Article => Programming => Java

JDK provides a command line tool -- keytool to handle key and certificate generation. This tool has a set of options which can be used to generate keys, create certificates, import keys, install certificate and export certificates etc. In this tutorial, we will show how to create certificate chain using keytool. If you want to understand how to create certificate chain programmably, please refer to Generate certificate in Java -- Certificate chain.

To begin, we first generate a key pair which will be used as the CA, ts private key will be used to sign the certificate it issues.

keytool -genkeypair -alias ca -keystore test.jks -dname "CN=CA" -storepass password -keypass password -ext bc=ca:true

Note here an extension with BasicaContraint created to show that it's a CA.

Then, generate a key pair where the certificate of it will be signed by the CA above.

keytool -genkeypair -alias leaf -keystore test.jks -dname "CN=Leaf" -storepass password -keypass password

Next, a certificate request for the "CN=Leaf" certificate needs to be created.

keytool -certreq -keystore test.jks -storepass password -alias leaf -file leaf.csr

Now creating the certificate with the certificate request generated above.

keytool -gencert -keystore test.jks -storepass password -alias ca -infile leaf.csr -outfile leaf.cer

An output certificate file leaf.cer will be created. Now let's see what its content is.

keytool -printcert -file leaf.cer

The certificate will look like:

Owner: CN=Leaf Issuer: CN=CA Serial number: 49fdb896 Valid from: Thu Dec 17 20:44:51 CST 2015 until: Wed Mar 16 20:44:51 CST 2016 Certificate fingerprints: MD5: EE:C8:78:72:69:C0:45:2C:DA:C6:E5:A9:6C:F9:A6:33 SHA1: DC:21:3A:7A:6B:BE:55:2A:24:0D:A0:F3:7B:FA:AD:B7:B3:E9:6B:88 SHA256: 78:11:E2:42:37:66:16:1D:02:02:03:1B:36:91:FC:C9:98:10:28:43:B6:0E:A2:63:34:93:9F:77:EA:D9:15:AB Signature algorithm name: SHA1withDSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 24 67 26 EE 9F 42 BE BF CE 9E 8B 4D 8E 1E BD AF $g&..B.....M.... 0010: 97 82 3D E4 ..=. ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 23 19 D0 58 48 6B 41 4B 0E 24 42 3A FF 60 38 69 #..XHkAK.$B:.`8i 0010: F1 63 11 12 .c.. ] ]

From the certificate, we can see its issuer is "CN=CA".

This certificate can be imported to some other keystore or truststore so that it can be used to verify server identify in the future.

keytool -importcert -keystore test.jks -storepass password -file leaf.cer

Or it can be installed into the original keystore to become the leaf certificate of the certificate chain for alias leaf.

keytool -importcert -keystore test.jks -storepass password -file leaf.cer -alias leaf

After installing the certificate, you will find the entry with alias leaf will have a chain of two certificates.

Alias name: leaf Creation date: Dec 17, 2015 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Leaf Issuer: CN=CA Serial number: 49fdb896 Valid from: Thu Dec 17 20:44:51 CST 2015 until: Wed Mar 16 20:44:51 CST 2016 Certificate fingerprints: MD5: EE:C8:78:72:69:C0:45:2C:DA:C6:E5:A9:6C:F9:A6:33 SHA1: DC:21:3A:7A:6B:BE:55:2A:24:0D:A0:F3:7B:FA:AD:B7:B3:E9:6B:88 SHA256: 78:11:E2:42:37:66:16:1D:02:02:03:1B:36:91:FC:C9:98:10:28:43:B6:0E:A2:63:34:93:9F:77:EA:D9:15:AB Signature algorithm name: SHA1withDSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 24 67 26 EE 9F 42 BE BF CE 9E 8B 4D 8E 1E BD AF $g&..B.....M.... 0010: 97 82 3D E4 ..=. ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 23 19 D0 58 48 6B 41 4B 0E 24 42 3A FF 60 38 69 #..XHkAK.$B:.`8i 0010: F1 63 11 12 .c.. ] ] Certificate[2]: Owner: CN=CA Issuer: CN=CA Serial number: 768422fa Valid from: Thu Dec 17 20:35:40 CST 2015 until: Wed Mar 16 20:35:40 CST 2016 Certificate fingerprints: MD5: 19:FC:D0:AA:59:EA:52:DC:35:35:65:46:0A:AF:91:4F SHA1: BA:17:1B:33:95:4E:1C:7B:68:B0:4C:EE:1C:D8:F4:6A:EE:25:8E:B0 SHA256: 99:5B:90:82:99:8D:79:FA:AA:E7:72:B1:C6:76:FE:2A:65:5F:B7:EF:C9:3C:A4:55:C6:27:E2:62:D3:01:99:79 Signature algorithm name: SHA1withDSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 24 67 26 EE 9F 42 BE BF CE 9E 8B 4D 8E 1E BD AF $g&..B.....M.... 0010: 97 82 3D E4 ..=. ] ]

With this tutorial, you should be able to create any kind of certificate or certificate chain you want. Apparently, if you want to create something which can be used in production environment, you need to find a trusted CA such as VeriSign.

This is just a tutorial going through how a certificate chain is created. If you want to know about keystore, you can refer to Different types of keystore in Java -- Overview.