beautypg.com

3 truststores, Creating a truststore, Using an existing truststore – Sun Microsystems 5.1.1 User Manual

Page 32: Truststores

background image

Chapter 4

Section 4.2

Operating SSL

KeyStores and TrustStores

HTTPS eWay Adapter User’s Guide

32

Sun Microsystems, Inc.

For the following example, openssl is used to generate the PKCS12 KeyStore:

cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt

The existing key is in the file mykey.pem.txt in PEM format. The certificate is in
mycertificate.pem.txt

, which is also in PEM format. A text file must be created which

contains the key followed by the certificate as follows:

openssl pkcs12 -export -in mykeycertificate.pem.txt -out

mykeystore.pkcs12 -name myAlias -noiter -nomaciter

This command prompts the user for a password. The password is required. The
KeyStore fails to work with JSSE without a password. This password must also be
supplied as the password for the eWay’s KeyStore password (see

Table 8 on page 50

).

This command also uses the openssl pkcs12 command to generate a PKCS12 KeyStore
with the private key and certificate. The generated KeyStore is mykeystore.pkcs12 with
an entry specified by the myAlias alias. This entry contains the private key and the
certificate provided by the -in argument. The noiter and nomaciter options must be
specified to allow the generated KeyStore to be recognized properly by JSSE.

4.2.3

TrustStores

Creating a TrustStore

For demonstration purposes, suppose you have the following CAs that you trust:
firstCA.cert, secondCA.cert, thirdCA.cert

, located in the directory C:\cascerts. You can

create a new TrustStore consisting of these three trusted certificates.

To create a new TrustStore

Use the following command:

keytool -import -file C:\cascerts\firstCA.cert -alias firstCA

-keystore myTrustStore

You must enter this command two more times, but for the second and third entries,
substitute secondCA and thirdCA for firstCA. Each of these command entries has the
following purposes:

1

The first entry creates a KeyStore file name myTrustStore in the current working
directory and imports the firstCA certificate into the TrustStore with an alias of
firstCA

. The format of myTrustStore is JKS.

2

For the second entry, substitute secondCA to import the secondCA certificate into
the TrustStore, myTrustStore.

3

For the third entry, substitute thirdCA to import the thirdCA certificate into the
TrustStore.

Once completed, myTrustStore is available to be used as the TrustStore for the eWay.

Using an Existing TrustStore

This section explains how to use an existing TrustStore such as the default Logical Host
TrustStore in the location:

See also other documents in the category Sun Microsystems Hardware: