How To Create And Manage Certificates in JKS on Windows, Linux, and MacOS
Java applications that use SSL/TLS, provide code signing, document signing, or some kind of service often require X.509 certificates to be provisioned and provided in a Java Key Store (JKS) file. Usually the Java application is providing service over HTTPS. This post describes how you can create certificates in JKS from Microsoft ADCS or GlobalSign Certificate Authorities using the fully automated CertAccord Enterprise solution that not only quickly provisions the initial certificate but also automatically renews and updates the certificate prior to expiration.
Microsoft Windows systems have built-in support for creating X.509 certificates, often referred to as “auto-enrollment”. This feature creates certificates and places them in the Windows certificate store. Unfortunately there is no auto-enrollment support for JKS or PKCS#12. Other platforms such as Linux and MacOS also lack any kind of auto-enrollment support for JKS (or other certificate formats).
What Is Java Key Store?
Java Key Store (JKS) is a file format for storing an X.509 digital certificate and other related information in a single file. JKS is often used by Java applications though there is nothing Java specific about the format. JKS files typically end with .jks or .keystore file extensions, though this is a convention not a requirement.
A JKS file typically contains the following:
- X.509 digital certificate identifying the server/service subject. This is typically the hostname that the Java application is run on.
- The private key of the certificate required to “unlock” and use it.
- The CA trust which issued the certificate. This is typically the certificate of the root CA in the CA trust chain which issued the certificate.
The JKS format is deprecated by the PKCS#12 standard which extends and generalizes the JKS format. Typically PKCS#12 files end with .pfx or .p12. The rest of this post focuses on JKS. Note that the processes are the same for PKCS#12.
Create Fully Managed JKS With CertAccord Enterprise
Creating a JKS from Microsoft ADCS or GlobalSign using CertAccord Enterprise is fast, easy, and secure. The creation of the initial JKS is done with a simple single command line. Even better the resulting JKS file is managed by CertAccord Enterprise and will be updated with a new certificate prior to expiration.
The following process is the same on Windows, Linux, and MacOS. Only the file paths are different.
STEP 1 – Install and Register CertAccord Agent
Follow the CertAccord Enterprise Installation Guide to install and register the Agent on the device you want to create the JKS on. This is done typically by installing the Agent manually or using a distribution system like Chef, Puppet, or ADCS Group Policy.
STEP 2 – Create JKS
Open a bash/powershell/cmd command prompt and run:
cmb cert create usages=serverauthentication certstoragefmt=jks
The command output will look something like this:
PS C:\Users\smith> cmb cert create usages=serverauthentication certstoragefmt=jks Authenticate using CertAccord/Active Directory Username: smith Password: Created certificate ID: sj537587 SUBJECT: "test00.contoso.com" \ SERIAL: 60b84a867 USAGES: ServerAuthentication \ EXPIRES: May 04 2021 10:08:33 PDT Adding certificate + private key [ID: SQk53jEK [RSA 2048]] to \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks Exported [ADDED] FILE: \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks ENTRY: [ADDED] PRIVATEKEY "Private Key SQk53jEK" RSA 2048 ENTRY: [ADDED] "Certificate sj537587" SUBJECT: "test00.contoso.com" \ USAGES: ServerAuthentication ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: \ "CN=Contoso Issuing CA2, DC=contoso, DC=com" ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Root CA" SUBJECT: "CN=Contoso Root CA" Exported JKS Config File [NoChange] FILE: \ C:\ProgramData\...\test00.contoso.com-serverauthentication.jks.properties
This command creates a certificate, private key, and CA trust and places all of that in this JKS file:
C:\ProgramData\...\test00.contoso.com-serverauthentication.jks
STEP 3 – Configure Application
Configure your Java application to use the JKS file created in the previous step.
How to Handle Expiring Certificates in JKS
The JKS created by CertAccord Enterprise will automatically renew the certificate and update the JKS file itself prior to the certificate expiring. The CertAccord Agent uses settings from the central CertAccord Enterprise server to determine when to perform the renewal and who to notify once the renewal is complete.
You can also automatically notify your Java application to re-read the JKS file once its renewed by creating a CertAccord Certificate Applier. A Certificate Applier is a customer supplied executable (typically a script) which is given data on the command line about the certificate that has been created/renewed. The script can then perform application specific actions such as re-reading the JKS with the renewed certificate.
Summary
Creating certificates in JKS from Microsoft ADCS or GlobalSign Certificate Authorities can be done with speed, ease, and security using CertAccord Enterprise. The JKS creation is not only easy but the resulting JKS file is fully managed and will be renewed prior to expiration.
Next Steps
See our other posts on topics such as creating certificates in other formats including PEM/DER