
Chapter 4 Section 4.2
Operating SSL KeyStores and TrustStores
HTTPS eWay Adapter User’s Guide 32 Sun Microsystems, Inc.
For the following example, openssl is used to generate the PKCS12 KeyStore:
cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt
The existing key is in the file mykey.pem.txt in PEM format. The certificate is in
mycertificate.pem.txt, which is also in PEM format. A text file must be created which
contains the key followed by the certificate as follows:
openssl pkcs12 -export -in mykeycertificate.pem.txt -out
mykeystore.pkcs12 -name myAlias -noiter -nomaciter
This command prompts the user for a password. The password is required. The
KeyStore fails to work with JSSE without a password. This password must also be
supplied as the password for the eWay’s KeyStore password (see Table 8 on page 50).
This command also uses the openssl pkcs12 command to generate a PKCS12 KeyStore
with the private key and certificate. The generated KeyStore is mykeystore.pkcs12 with
an entry specified by the myAlias alias. This entry contains the private key and the
certificate provided by the -in argument. The noiter and nomaciter options must be
specified to allow the generated KeyStore to be recognized properly by JSSE.
4.2.3 TrustStores
Creating a TrustStore
For demonstration purposes, suppose you have the following CAs that you trust:
firstCA.cert, secondCA.cert, thirdCA.cert, located in the directory C:\cascerts. You can
create a new TrustStore consisting of these three trusted certificates.
To create a new TrustStore
Use the following command:
keytool -import -file C:\cascerts\firstCA.cert -alias firstCA
-keystore myTrustStore
You must enter this command two more times, but for the second and third entries,
substitute secondCA and thirdCA for firstCA. Each of these command entries has the
following purposes:
1 The first entry creates a KeyStore file name myTrustStore in the current working
directory and imports the firstCA certificate into the TrustStore with an alias of
firstCA. The format of myTrustStore is JKS.
2 For the second entry, substitute secondCA to import the secondCA certificate into
the TrustStore, myTrustStore.
3 For the third entry, substitute thirdCA to import the thirdCA certificate into the
Once completed, myTrustStore is available to be used as the TrustStore for the eWay.
Using an Existing TrustStore
This section explains how to use an existing TrustStore such as the default Logical Host
TrustStore in the location: