If you try to create a trust store with a format of Java Key Store you get a message saying you should not be using a propriety format. After some digging around, I have found out how to create a database with a format of pkcs12 (or .p12 as it is also known).
To make a PKCS12 keystore (including the private key)
You can use open ssl to create the two parts, (public and private), and get the public part signed.
You can then create a .p12entry using
password=”-passout file:password.file -passin file:password.file”
name=”colincert”
ca=”-CAfile capem -chain “
openssl pkcs12 -export -inkey $name.key.pem -in $name.pem -out $name.p12 -name $name $password $ca
To make a key store, importing the .p12s with the private keys, use
rm mykey.p12
ks=” -importkeystore -destkeystore mytrust.p12″
dest=”-deststoretype pkcs12 -deststorepass password”
src=”-srcstoretype PKCS12 -srcstorepass password”
keytool $ks $src $dest -srckeystore ecec.p12
keytool $ks $src $dest -srckeystore ss.p12
keytool -list -v -keystore mykey.p12 -storepass password
By default it uses the alias from the -name in the openssl command.
Using the -list command without the verbose option (-v) gives
keytool -list -keystore mykey.p12 -storepass password
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains … entries
ecec, 21-Jan-2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): C3:3D:98:D1:45:DF:44:F0:13:FE:87:D9:3E:CC:22:33:A8:D6:24:91
mqweb, 21-Jan-2021, PrivateKeyEntry,
…
So we can see this is a PKCS12 keystore with entries with a Private Key in them.
To make a trust store
A trust store only has the public parts, it does not have the private key, so creating an intermediate .p12 file does not work, you have to use the public .pem files.
rm mytrust.p12
ks=” -import -keystore mytrust.p12 -deststoretype pkcs12″
password=“-storepass:file password.file”
keytool $ks $password -file ecec.pem -alias ecec
keytool $ks $password -file ss.pem -alias ss
keytool -list -v -keystore mytrust.p12 $password
This example uses the password stored in the file password.file, rather than specifying it in the command.
You have to supply the -alias, as it defaults to “mykey”. If you add multiple entries with the default, you only get one entry in the keystore.
Using the -list command without the verbose option (-v) gives
keytool -list -keystore mytrust.p12 -storepass:file password.file
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
ecec, 21-Jan-2021, trustedCertEntry,
Certificate fingerprint (SHA1): C3:3D:98:D1:45:DF:44:F0:13:FE:87:D9:3E:CC:22:33:A8:D6:24:91
ss, 21-Jan-2021, trustedCertEntry,
Certificate fingerprint (SHA1): E9:D1:69:49:5B:D3:B4:3C:E8:44:5A:C1:2C:A2:D6:5D:FB:47:61:E7
So we can see this is a PKCS12 keystore, and has the expected entries which are Trusted Certificate Entries.
ColinPaice 