Skip to main content
Skip table of contents

Working with certificates in Keystore Explorer

Article describes common practices with Keystore Explorer software. It is a handy GUI alternative to Java keytool or OpenSSL. All these tools are used to generate / sign certificate(s) and perform conversion among various storage type formats. Imagine you need a certificate to secure your website via https, would you know how to generate it?

Table of content:

Generating Certificate and Certificate Signing Request (CSR)

To secure various communication links, such as a website through HTTPS, a certificate and private key is required. The certificate, applied on the server side, serves for encryption and authenticity verification. To make the certificate trusted in your organization, it should be signed by a Certification Authority (CA). This process involves generating a Certificate Signing Request (CSR). This section outlines the steps to create a new certificate, generate a CSR, and import the signed CSR back to the certificate

Summary of steps:

  • Create a new Keystore

  • Choose JKS

  • Tools > Generate Key Pair

  • Select RSA algorithm with key size 2048

  • Fill in CN

  • Add extensions
    Basic Constraint - Subject is a CA with EMPTY checkbox
    Key Usage - Digital Signature
    Key Usage - Key Encipherment
    Key Usage - Non Repudiation
    Extended Key Usage - TLS Web Server Authentication
    Subject Key Identifier - 160-bit Hash
    Subject Alternative Name - DNS Name
    Subject Alternative Name - IP Address

  • Save the keystore

  • Right-click key pair entry> Generate CSR

The CSR request needs to be signed by CA. The signing process will generate a new file. The new file needs to be imported back to certificate.

Summary of steps:

  • Right-click key pair entry > Import CA Reply > From file

Notes:

  • Error "The public key of the CA Reply does not match the public key of the key pair entry." means mismatch between Key Pair, CSR and signed file. It occurs typically when trying to import CA Reply to a Key Pair that is different than the one used to generate CSR. Modulus of the public key for Key Pair, CSR and CSR response has to be the same. 

  • This is the command to display public key modulus:

    • openssl.exe x509 -in <file> -noout -modulus

  • The command output needs to match for:

    • file.pfx - key pair that was used for generating CSR, you can obtain it via Keystore Explorer by right-click > Export > Export Key Pair > Format PKCS#12 > leave passwords empty

    • file.csr - CSR sent for signing

    • file.crt or file.cer - this was obtained from CA after signing CSR, it must be in PEM format (contains readable text BEGIN CERTIFICATE etc)

Generating Certification Authority (CA)

A Certification Authority (CA) is a trusted entity that issues digital certificates, such as for individuals, organizations, or servers. The Root CA, highly trusted, provides self-signed certificates, and Intermediate CAs, connected to the Root CA, issue certificates in a chain of trust. Endpoint certificates, issued by CAs, contain public keys and entity info, ensuring secure SSL/TLS connections, with trust validated through the certificate chain. For instance, by establishing your own trusted CA in your organization, you can create and sign certificates, securing intranet websites. Workstations automatically trust these certificates, simplifying certificate replacement upon expiration. This section describes how to create CA.

Summary of steps:

  • Create a new Keystore

  • Choose JKS

  • Tools > Generate Key Pair

  • Select RSA algorithm with key size 2048

  • Fill in CN

  • Add extensions
    Basic Constraint - Subject is a CA
    Key Usage - Certificate Signing
    Key Usage - CRL Sign

  • Save the keystore
    The first password protects newly created key pair (alias)
    The second password protects the whole keystore (one keystore can contain multiple certificates)

  • Export CA certificate in suitable format and make it trusted on workstations

Signing Certificate Signing Request (CSR) by Certification Authority (CA)

This section describes how to sign CSR by CA.

Summary of steps:

  • Right-click CA key pair entry > Sign > Sign CSR

  • set expected Validity Period

  • click Transfer Extensions

  • export "Entire chain"

Hints:

  • New certificate can be created right away from CA, this way CSR signing is bypassed

    • right click the CA entry > Sign > Sign new Key Pair

  • Typically the endpoint certificate would be signed by Intermediate CA, not by Root CA

    • you can build whole chain of trust using Edit certificate chain > Append certificate

Converting between Java Keystore (JKS) and PKCS#12 (PFX) container formats

Certificates can be saved in different formats. When working with YSoft SafeQ, you often choose between Java Keystore (jks) or PKCS#12 based on specific component requirements. Understanding how to convert between these formats can be valuable. The extensions .pfx and .p12 commonly denote the PKCS#12 - Personal Information Exchange format. This section explains the process of converting between these formats, applicable in both directions.

Conversion from jks to pfx

Conversion from pfx to jks

Command-line conversion options using alternative tools:
Conversions between different keystores and certificate types

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close