How To Create And Manage Certificates in JKS/PKCS12 on Windows, Linux, and MacOS

create and manage pki x509 certificates in jks on windows linux mac

Learn How To Automate JKS/PKCS12 on Windows, Linux, Mac from Microsoft PKI

Applications (especially Java applications) that use HTTPS (SSL/TLS) require X.509 certificates to be  provided typically in a Java Key Store (JKS) or PKCS#12 file. This post describes how you can automatically create certificates in JKS/PKCS12 from Microsoft ADCS or GlobalSign Certificate Authorities using the fully automated CertAccord Enterprise solution that not only quickly provisions the initial certificate but also automatically renews and updates the certificate prior to expiration.

Microsoft Windows systems have built-in support for creating X.509 certificates, often referred to as “auto-enrollment”.  This feature creates certificates and places them in the Windows certificate store.  Unfortunately there is no auto-enrollment support for JKS or PKCS#12.  This leads to having manual export certificates from the Windows system certificate store into JKS/PKCS12. Other platforms such as Linux and MacOS also lack any kind of auto-enrollment support for JKS/PKCS12 and other certificate formats.

What Is PKCS #12?

PKCS #12 (PKCS12) is a file format for storing X.509 digital certificates, private keys, certificate authority certificates, and other related data, all in a single file. PKCS12 is often used in modern applications, both Java and non-Java, to provide the certificate, private keys, and CA trust required to communicate via SSL/TLS over HTTP (HTTPS).

PKCS12 files typically end with .p12 or .pfx but these are not required by any standard.

A typical PKCS12 file contains:

  • X.509 digital certificate identifying the server/service subject.  This is typically the hostname of the server the application is run on
  • The private key of the certificate required to “unlock” and use it
  • The CA trust which issued the certificate.  This is typically the certificate of the root CA in the CA trust chain which issued the certificate.

What Is Java Key Store (JKS)?

Java Key Store (JKS) is a file format for storing an X.509 digital certificate and other related information in a single file.  JKS is similar to PKCS12 and in fact was created long before PKCS12. It is typically only used by Java based applications, though there is nothing Java specific about the format. JKS is considered deprecated by PKCS12 and best practice is to use PKCS12 whenever possible.

JKS files typically end with .jks or .keystore file extensions, though this is a convention and not a requirement.

A JKS file typically contains the following:

  • X.509 digital certificate identifying the server/service subject.  This is typically the server hostname that the Java application is run on.
  • The private key of the certificate required to “unlock” and use it.
  • The CA trust which issued the certificate.  This is typically the certificate of the root CA in the CA trust chain which issued the certificate.

Create Fully Managed JKS/PKCS12 With CertAccord Enterprise

Creating a JKS/PKCS12 from Microsoft ADCS or GlobalSign using CertAccord Enterprise is fast, easy, and secure.  For the purposes of this discussion we will use JKS, but the process provided is nearly identical for PKCS12.

The creation of the initial JKS is done with a simple single command line.  Even better, the resulting JKS file is managed by CertAccord Enterprise and will be updated with a new certificate prior to expiration.

The following process is the same on Windows, Linux, and MacOS.  Only the file paths are different.

STEP 1 – Install and Register CertAccord Agent

Follow the CertAccord Enterprise Installation Guide to install and register the Agent on the device you want to create the JKS on.  This is done typically by installing the Agent manually or using a distribution system like Chef, Puppet, or ADCS Group Policy.

STEP 2 – Create JKS

Open a bash/powershell/cmd command prompt and run:

cmb cert create usages=serverauthentication certstoragefmt=jks

The command output will look something like this:

PS C:\Users\smith> cmb cert create usages=serverauthentication certstoragefmt=jks
Authenticate using CertAccord/Active Directory
Username: smith
Password:
Created certificate ID: sj537587 SUBJECT: "test00.contoso.com" \
   SERIAL: 60b84a867 USAGES: ServerAuthentication \
   EXPIRES: May 04 2021 10:08:33 PDT
Adding certificate + private key [ID: SQk53jEK [RSA 2048]] to \
  C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks
Exported [ADDED] FILE: \
  C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks
ENTRY: [ADDED] PRIVATEKEY "Private Key SQk53jEK" RSA 2048
ENTRY: [ADDED] "Certificate sj537587" SUBJECT: "test00.contoso.com" \
  USAGES: ServerAuthentication
ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: \
  "CN=Contoso Issuing CA2, DC=contoso, DC=com"
ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Root CA" SUBJECT: "CN=Contoso Root CA"
Exported JKS Config File [NoChange] FILE: \
  C:\ProgramData\...\test00.contoso.com-serverauthentication.jks.properties

This command creates a certificate, private key, and CA trust and places all of that in this JKS file:

C:\ProgramData\...\test00.contoso.com-serverauthentication.jks

STEP 3 – Configure Application

Configure your Java application to use the JKS file created in the previous step.

Deploy Certificates in JKS/PKCS12 At Scale

In addition to creating certificates from the command line you can also configure CertAccord to automatically push certificates in JKS/PKCS12 (or other formats) to any number of end-points using the CertAccord Management Console (CMC). In CMC you can assign Certificate Mandates to Device Groups.  Certificate Mandates are a means of requiring an end-point to have a specific certificate configuration. This is similar to “auto enrollment” found in Windows based systems.

This capability allows you to quickly deploy certificates in JKS/PKCS12 and other formats to thousands of end-points.  Even better, the certificates in the JKS/PKCS12 files will be automatically updated prior to expiring.

How to Handle Expiring Certificates in JKS/PKCS12

The JKS/PKCS12 created by CertAccord Enterprise will automatically be renewed and the JKS/PKCS file updated with the new certificate and keys, prior to the certificate expiring.   The CertAccord Agent uses settings from the central CertAccord Enterprise server to determine when to perform the renewal and who to notify once the renewal is complete.

You can also automatically notify your application to re-read the JKS/PKCS12 file once its renewed by creating a CertAccord Certificate Applier.  A Certificate Applier is a customer supplied executable (typically a script) which is given data on the command line about the certificate that has been created/renewed.  The script can then perform application specific actions such as re-reading the JKS/PKCS with the renewed certificate.

Summary

Creating certificates in JKS/PKCS12 from Microsoft ADCS or GlobalSign Certificate Authorities can be done with speed, ease, and securely using CertAccord Enterprise.  The JKS/PKCS12 creation is not only easy but the resulting file is fully managed and will be renewed prior to expiration.

Schedule A Demo

Next Steps

See our other posts on topics such as creating certificates in other formats including PEM/DER

Related Posts

 

Categories