The key pair is located in a file which is called a key store, and the
JDK's SSL provider needs the system properties
javax.net.ssl.keyStore and
javax.net.ssl.keyStorePassword to access the keystore.
The certificates of trusted parties are installed in a file called a
trust store. The JDK's SSL provider needs the system properties
javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword to access the trust
store.
Key pair generation
Key pairs are generated with keytool -genkey. The
simplest way to generate a key pair is to do the following:
keytool -genkey alias -keystore keystore
keytool will prompt for needed information, such as
identity details and passwords.
Consult the JDK documentation for more information on
keytool.
Certificate generation
Certificates are generated with keytool -export
as follows:
keytool -export -alias alias -keystore keystore -rfc \
-file certificate-file
The certificate file may then be distributed to the relevant parties.
Certificate installation
Installation of a certificate in a trust store is done with
keytool -import as follows:
keytool -import -alias alias -file certificate-file -keystore truststore
Examples
Generate the server key pair:
keytool -genkey -alias myDerbyServer -keystore serverKeyStore.key
Generate a server certificate:
keytool -export -alias myDerbyServer -keystore serverKeyStore.key -rfc \
-file myServer.cert
Generate a client key pair:
keytool -genkey -alias aDerbyClient -keystore clientKeyStore.key
Generate a client certficate:
keytool -export -alias aDerbyClient -keystore clientKeyStore.key -rfc \
-file aClient.cert
Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert \
-keystore serverTrustStore.key
Install the server certificate in a client's trust store:
keytool -import -alias myDerbyServer -file myServer.cert \
-keystore clientTrustStore.key