Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Create a KeyStore in PKCS12 Format

DZone's Guide to

How to Create a KeyStore in PKCS12 Format

In this article, we continue our series on SSL certificates, by introducing the PKCS12 Format and how to use it to create a KeyStore in OpenSSL.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In my last post, I explained how to create a self-signed SSL certificate. You can go to the previous article and generate the certificate and private key as we'll be needing it for creating a KeyStore.

In this article, I'll be explaining how one can create a KeyStore in PKCS12 Format using OpenSSL.

Let's start with "What is PKCS12 Format ?"

A PKCS12(Public-Key Cryptography Standards) defines an archive-file format for storing server certificates, intermediate certificate if any, and private key into a single encryptable file.

Now, let's see how we can create a KeyStore.

For generating a KeyStore, one should already have an existing private key and certificate (self-signed or signed by CA). The following are the steps required for creating a KeyStore:

->Step 1: Create private key and certificate.

After Step 1, you'll  have a key (server.key), a CSR (server.csr), and a certificate (server.crt). We'll be using server.key and server.crt files in our next step.

->Step 2: Create a .pem file. Run the following commands from your terminal:

  • cat server.key > server.pem 
  • cat server.crt >> server.pem 

"A .pem (Privacy Enhanced Mail) file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates)."

The existing key and the certificate would be there in your server.pem file. The Structure of .pem file looks like this:

-----BEGIN RSA PRIVATE KEY-----
(Private Key: domain_name.key contents)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: domain_name.crt contents)
-----END CERTIFICATE-----

-> Step 3: Create .pkcs12 file.

  • openssl pkcs12 -export -in server.pem -out keystore.pkcs12 

This command will generate the KeyStore with the name keystore.pkcs12. You can use the KeyStore for configuring your server.

So this is how we can generate a KeyStore in PKCS12.

Enjoy :)

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
ssl/tls ,security ,certificate

Published at DZone with permission of Rishabh Verma, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}