Learn How To Automate JKS on Windows, Linux, Mac from Microsoft PKI
Applications (especially Java applications) that use HTTPS (SSL/TLS) require X.509 certificates to be provided typically in a Java Key Store (JKS) or PKCS#12 file. This post describes how you can automatically create certificates in JKS from a Microsoft PKI Certificate Authority or GlobalSign Certificate Authorities using the fully automated CertAccord Enterprise solution that not only quickly provisions the initial certificate but also automatically renews and updates the certificate prior to expiration. CertAccord Enterprise supports JKS and other formats on Windows, Linux, and Mac platforms.
Microsoft Windows systems have built-in support for creating X.509 certificates, often referred to as “auto-enrollment”. This feature creates certificates and places them in the Windows certificate store. Unfortunately there is no auto-enrollment support for JKS. This leads to having to manually export certificates from the Windows system certificate store into JKS. Other platforms such as Linux and MacOS also lack any kind of auto-enrollment support for JKSand other certificate formats. On those platforms you also have to manually submit a Certificate Signing Request (CSR) and other data to a Certificate Authority manually and then manually receive the certificate which typically is in some other format such as DER or PEM.
What Is Java Key Store (JKS)?
Java Key Store (JKS) is a file format for storing an X.509 digital certificate and other related information in a single file. JKS is similar to PKCS12 and in fact was created long before PKCS12. It is typically only used by Java based applications, though there is nothing Java specific about the format. JKS is considered deprecated by PKCS12 and best practice is to use PKCS12 whenever possible.
JKS files typically end with .jks or .keystore file extensions, though this is a convention and not a requirement.
A JKS file typically contains the following:
- X.509 digital certificate identifying the server/service subject. This is typically the server hostname that the Java application is run on.
- The private key of the certificate required to “unlock” and use it.
- The CA trust which issued the certificate. This is typically the certificate of the root CA in the CA trust chain which issued the certificate.
Create Fully Managed JKS With CertAccord Enterprise
Creating a JKS from Microsoft ADCS or GlobalSign using CertAccord Enterprise is fast, easy, and secure. For the purposes of this discussion we will use JKS, but the process provided is nearly identical for PKCS12.
The creation of the initial JKS is done with a simple single command line. Even better, the resulting JKS file is managed by CertAccord Enterprise and will be updated with a new certificate prior to expiration.
The following process is the same on Windows, Linux, and MacOS. Only the file paths are different.
STEP 1 – Install and Register CertAccord Agent
Follow the CertAccord Enterprise Installation Guide to install and register the Agent on the device you want to create the JKS on. This is done typically by installing the Agent manually or using a distribution system like Chef, Puppet, or ADCS Group Policy.
STEP 2 – Create JKS
Open a bash/powershell/cmd command prompt and run:
cmb cert create usages=serverauthentication certstoragefmt=jks
The command output will look something like this:
PS C:\Users\smith> cmb cert create usages=serverauthentication certstoragefmt=jks Authenticate using CertAccord/Active Directory Username: smith Password: Created certificate ID: sj537587 SUBJECT: "test00.contoso.com" \ SERIAL: 60b84a867 USAGES: ServerAuthentication \ EXPIRES: May 04 2021 10:08:33 PDT Adding certificate + private key [ID: SQk53jEK [RSA 2048]] to \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks Exported [ADDED] FILE: \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.jks ENTRY: [ADDED] PRIVATEKEY "Private Key SQk53jEK" RSA 2048 ENTRY: [ADDED] "Certificate sj537587" SUBJECT: "test00.contoso.com" \ USAGES: ServerAuthentication ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: \ "CN=Contoso Issuing CA2, DC=contoso, DC=com" ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Root CA" SUBJECT: "CN=Contoso Root CA" Exported JKS Config File [NoChange] FILE: \ C:\ProgramData\...\test00.contoso.com-serverauthentication.jks.properties
This command creates a certificate, private key, and CA trust and places all of that in this JKS file:
C:\ProgramData\...\test00.contoso.com-serverauthentication.jks
STEP 3 – Configure Application
Configure your Java application to use the JKS file created in the previous step.
Deploy Certificates in JKS At Scale
In addition to creating certificates from the command line you can also configure CertAccord to automatically push certificates in JKS (or other formats) to any number of end-points using the CertAccord Management Console (CMC). In CMC you can assign Certificate Mandates to Device Groups. Certificate Mandates are a means of requiring an end-point to have a specific certificate configuration. This is similar to “auto enrollment” found in Windows based systems.
This capability allows you to quickly deploy certificates in JKS and other formats to thousands of end-points. Even better, the certificates in the JKS files will be automatically updated prior to expiring.
How to Handle Expiring Certificates in JKS
The JKS created by CertAccord Enterprise will automatically be renewed and the JKS file updated with the new certificate and keys, prior to the certificate expiring. The CertAccord Agent uses settings from the central CertAccord Enterprise server to determine when to perform the renewal and who to notify once the renewal is complete.
You can also automatically notify your application to re-read the JKS file once its renewed by creating a CertAccord Certificate Applier. A Certificate Applier is a customer supplied executable (typically a script) which is given data on the command line about the certificate that has been created/renewed. The script can then perform application specific actions such as re-reading the JKS with the renewed certificate.
Summary
Creating certificates in JKS from Microsoft ADCS or GlobalSign Certificate Authorities can be done with speed, ease, and securely using CertAccord Enterprise as your PKI certificate management solution. The JKS creation is not only easy but the resulting file is fully managed and will be renewed prior to expiration.