Java Keytool is a key and certificate management utility. It allows users to manage their public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default, the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.
Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.
In light-4j platform, both one-way and two-way TLS are supported. There are four files that might be used:
These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.
If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.
server keystore and truststore
Once the server keystore and truststore are ready, copy them to src/main/resources/config folder or externalized config folder. At the same time, update server.yml and secret.yml for keystoreName, truststoreName, keystorePass, keyPass and truststorePass. Please note that the password in secret.yml can be encrypted.
# Server configuration
# This is the default binding address if the service is dockerized.
# Http port if enableHttp is true.
# Enable HTTP should be false on official environment.
# Https port if enableHttps is true.
# Enable HTTPS should be true on official environment.
# Http/2 is enabled. When Http2 is enable, enableHttps is true and enableHttp is false by default.
# If you want to have http enabled, enableHttp2 must be false.
# Keystore file name in config folder. KeystorePass is in secret.yml to access it.
# Flag that indicate if two way TLS is enabled. Not recommended in docker container.
# Truststore file name in config folder. TruststorePass is in secret.yml to access it.
# Unique service identifier. Used in service registration and discovery etc.
# Flag to enable service registration. Only be true if running as standalone Java jar.
And update secret.yml for passwords
# This file contains all the secrets for the server in order to manage and
# secure all of them in the same place. In Kubernetes, this file will be
# mapped to Secrets and all other config files will be mapped to mapConfig
# Key store password, the path of keystore is defined in server.yml
# Key password, the key is in keystore
# Trust store password, the path of truststore is defined in server.yml
# Client secret for OAuth2 server
client keystore and truststore
For one-way TLS, only client.truststore is used and you need to import the server certificate into it. For two-way TLS, both client.keystore and client.truststore will be used.
Here is an example TLS section of the client.yml config. For the same encryption reason, the password for client keystore and private key, as well as password for client truststore, will be in the secret.yml file.
# Settings for TLS
# if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate
# or load truststore that contains the self-signed cretificate.
# trust store contains certifictes that server needs. Enable if tls is used.
# trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword
# key store contains client key and it should be loaded if two-way ssl is uesed.
# key store location