Creating JKS File - Storm Streaming Server
In order to create JKS (Java KeyStore), we'll need to go through several steps. First of all, the Keytool utility is required.
Step 1: Create Keystore
We'll start with preparing a keystore file (named keystore.jks):
keytool -genkey -keystore keystore.jks -alias ssl -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048
Once you hit enter, you'll be asked to provide some basic information like password, organization, country, state code etc.
Step 2: Create Certificate Signing Request (CSR)
The next step is to create a Certificate Signing Request (CSR) from the created keystore to share with the Certificate Authority (CA) to sign and generate the primary/server certificate.
keytool -certreq -alias ssl -keystore keystore.jks -file yourcertfile.csr
We need to provide the correct alias name and the password which we mentioned during the creation of the keystore in order to extract the certificate request. Submit the generated CSR to any of the CA, which is supported by the SSL community.
Step 3: Import Signed Certificate
Once the CA signed the certificate and shared it with us, we need to import the certificate to the keystore for the private key entry we created.
keytool -import -alias ssl -keystore keystore.jks -file yourcertfile.crt
Step 4: Import Intermediate CA Certificate
At the end we'll have to import Intermediate CA Certificate to an existing Java Keystore:
keytool -import -trustcacerts -alias root -file cacertificate.cer -keystore keystore.jks
Alternative: Converting from PEM Files
If you already have PEM certificate files, you can convert them to JKS:
# First convert to PKCS12
openssl pkcs12 -export -in certificate.crt -inkey private.key \
-out certificate.p12 -name storm -CAfile ca.crt -caname root
# Then convert to JKS
keytool -importkeystore -deststorepass password \
-destkeystore certificate.jks -srckeystore certificate.p12 \
-srcstoretype PKCS12 -srcstorepass password
Using in Configuration
Once you have your JKS file, configure it in your VHost:
<VHost host="*" isSSL="true" port="443">
<Protocols>HTTP, WEBSOCKETS</Protocols>
<SSL>
<CertPath>/path/to/keystore.jks</CertPath>
<CertPassword>your_password</CertPassword>
</SSL>
</VHost>
If you have any questions or need assistance, please create a support ticket and our team will help you.