For this exercise you will need the following software: keytool : the keytool comes with your JDK (Java Development Kit) installation. openssl : Open SSL Configuration overview Here is the overview of the steps that need to be followed: - create company keys & certificate
- create a certificate signing request (CSR)
- sign the CSR (or have it signed by a trusted CA)
- save your keys and the certificate in the jks keystore
Detailed steps - create a keypair (with alias pdfcakey in this example)
| Code Block |
|---|
keytool -genkey -keyalg RSA -alias pdfcakey -keypass password -validity 365 -keysize 1024 -dname "cn=PDF-CA, ou=Headquarters, o=Example Organization, c=US" -keystore pdfca-keystore.jks
|
This creates a keypair (private and public key), and self-signs it automatically. If you don't wish to use a 3rd party Certificate Authority to sign your key, you can stop here.
- create a certificate signing request (CSR)
| Code Block |
|---|
keytool -keystore pdfca-keystore.jks -storepass aaaaaa -alias alternatekey -keypass password -certreq -file pdfca.csr
|
- submit the CSR to a well-known 3rd party Certificate Authority of your choice to sign it
- when you receive the signed certificate pdfca.crt, import it into your keystore using a new new alias (pdfcacert in this example)
| Code Block |
|---|
keytool -import -trustcacerts -alias pdfcacert -file pdfca.crt -keystore pdfca-keystore.jks
|
You can find examples of 3rd party CAs here and here.
An alternative method would be to set up a local signing CA and use it for signing certificates (keeping in mind that this approach, though it could work for small-scale deployments, is not recommended for production purposes): generate the PDF-CA key pair: CREATE A CERTIFICATE AUTHORITY (CA) - create a CA key
| Code Block |
|---|
openssl genrsa -out ca.key 2048
|
- create a self signed CA certificate
| Code Block |
|---|
openssl genrsareq -desnew 1024-x509 -days 356 -key ca.key -out pdfca.key
|
generate
CREATE A SUBORDINATE CERTIFICATE AUTHORITY (SUBCA) - create the key for the subordinate CA
| Code Block |
|---|
openssl genrsa -out subca.key 2048
|
- create a certificate signing request (CSR) for it: the subordinate CA
| Code Block |
|---|
openssl req -new -x509 -key pdfcasubca.key -days 3650 -out pdfcasubca.csr
|
- have the CA sign the CSR : of the subordinate CA
| Code Block |
|---|
openssl x509 -req -days 365730 -in pdfcasubca.csr -CA ca-self-signed.crt -CAkey ca.key -CAcreateserialset_serial 01 -out pdfcasubca.crt
|
- import thesigned certificate in the Java keystore: a certificate created from your CSR into a JKS keystore
| Code Block |
|---|
keytool -import -trustcacerts -alias pdfcacertcertalias -file pdfcasubca.crt -keystore pdfca-keystore.jks
keystore.jks
|
- convert the x509-certificate and the key to pkcs12 format to make it importable into the java keystore
| Code Block |
|---|
openssl pkcs12 -export -in subca.crt -inkey subca.key -name keyalias -CAfile ca.crt -caname root -out subca.p12
|
(use "export" as password when prompted)
- convert the pkcs12 file to jks format
| Code Block |
|---|
keytool -importkeystore -deststorepass storepass -destkeypass keypass -destkeystore keystore.jks -srckeystore subca.p12 -srcstoretype PKCS12 -srcstorepass export -alias keyalias
|
Now you will need to replace the sample certificate with your own that you just created. You can use the configuration information below which explains how to override the sample certificate with your company certificate. | 
