- PKCS12 is the industry standard, however, java has a proprietary format specific for Java called JKS, we will stick with PKC12 for our keystore.
- Managing the generation of certs and trust store system wide,
mkcert
is an incredibly useful tool
brew install mkcert
keystore command generate :
keytool -genkeypair -alias localdev -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650 -storepass password
- genkeypair: generates a key pair;
- alias: the alias name for the item we are generating
- keyalg: the cryptographic algorithm to generate the key pair
- keysize: the size of the key. We have used 2048 bits (4096 for production)
- storetype: the type of keystore
- keystore: the name of the keystore
- validity: validity number of days e.g. 10years
- storepass: a password for the keystore.
- Will ask a series of basic questions to fill in the cert info, as this is for local development, we are not concerned, enter or skip.
- after submitting cert data, there will be a prompt you for a key password, this is different to your keystore password, however, for the sake of ease of local development, use the same as above.
- After enterting the key password, you will now have a keystore containing a new Cert. (see ##import cert)
mkcert:
mkcert localhost 127.0.0.1
Output:
Note: the local CA is not installed in the system trust store.
Note: the local CA is not installed in the Firefox trust store.
Note: the local CA is not installed in the Java trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️
Created a new certificate valid for the following names 📜
- "localhost"
- "127.0.0.1"
The certificate is at "./localhost+1.pem" and the key at "./localhost+1-key.pem" ✅
It will expire on 20 May 2023 🗓
Install into trust store to make cert valid and recognised:
mkcert -install
Enter in your pw: password and the output should look as follows:
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊
The local CA is now installed in Java's trust store! ☕️
convert the resulting .pem and key.pem files to a .p12 file using OpenSSL, enter a pw: password for simplicity sake in development
openssl pkcs12 -export -in localhost+1.pem -inkey localhost+1-key.pem -out keystore.p12 -name localdev
This will output the keystore.p12
this will need to be in the location src/main/resources
If we had a keystore already for other use, we would generate and import e.g. using Let's Encrpt Authority
keytool -import -alias tomcat -file myCertificate.crt -keystore keystore.p12 -storepass password