For SSL operation, the server always needs a key pair. If the server
runs in peer authentication mode (the server authenticates the
clients), then each client needs its own key pair. In general, if one
end of the communication wants to authenticate its partner, then the
first end needs to install a certificate generated by the partner.
The key pair is located in a file which is called a key store
and the JDK's SSL provider needs the system properties
javax.net.ssl.keyStore and
javax.net.ssl.keyStorePassword to access the key
store.
The certificates of trusted parties are installed in a file called a
trust store. The JDK's SSL provider needs the system properties
javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword to access the trust
store.
Key pair generation
Key pairs are generated with keytool -genkey. The
simplest way to generate a key pair is to do
keytool -genkey <alias> -keystore <keystore>
ketool will prompt for needed information like
identity details and passwords.
Consult the JDK documentation for more information on
keytool.
Certificate generation
Certificates are generated with keytool -export like this:
keytool -export -alias <alias> -keystore <keystore> \
-rfc -file <certificate file>
The certificate file may then be distributed to the relevant parties.
Certificate installation
Installation of a certificate in a trust store is done with
keytool -import like this:
keytool -import -alias <alias> -file <certificate file> \
-keystore <trust store>
Examples
Generate the server key pair:
keytool -genkey -alias myDerbyServer -keystore serverKeyStore.key
Generate a server certificate:
keytool -export -alias myDerbyServer -keystore serverKeyStore.key \
-rfc -file myServer.cert
Generate a client key pair:
keytool -genkey -alias aDerbyClient -keystore clientKeyStore.key
Generate a client certficate:
keytool -export -alias aDerbyClient -keystore clientKeyStore.key \
-rfc -file aClient.cert
Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert
-keystore serverTrustStore.key
Install the server certificate in a client's trust store:
keytool -import -alias myDerbyServer -file myServer.cert
-keystore clientTrustStore.key