Thursday, January 15, 2009

Keytool CheatSheet

-----Original Message-----
From: ext Mark Thomas
Sent: Friday, January 16, 2004 5:20 PM
To: 'Tomcat Users List'
Subject: RE: Using CA-issued certificates in Tomcat 5

Try this - don't delete the alias before importing the response.

What happens is:
> keytool -genkey -alias tomcat -keyalg RSA
Creates your private and public key
> keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
wraps a copy of your _public_ key in a certficate request
> ... got the certs...
CA uses their private key to sign your public key - this is essentially your
> keytool -delete -alias tomcat
This deletes your private key. This is bad.
> keytool -import -alias root -trustcacerts -file rootcert.cer
(root/intermediate/chain cert, as appropriate for the CA)
Adds the public key of your CA to your trusted certs.
> keytool -import -alias tomcat -trustcacerts -file testcert.cer
With your private key still in place, this replaces your unsigned public key
with a signed public key

You may find that the format the cert comes back in is not compatible with
keytool. I normally do the following:
1. In windows, change extension to .cer
2. Double click on .cer file.
3. On "Details" tab click "Copy to file..."
4. Select the .p7b output format and tick the box to include all certs in path.
5. Specify a file name.
6. Use key tool to import this file.

Sorry this is a windows solution but if you don't use windows as along as you
can get access to a windows box you should be able to do this.