Creating JKS File - Storm Streaming Server

In order to create JKS (Java KeyStore), we'll need to go through several steps. First of all, the Keytool utility is required.

Step 1: Create Keystore

We'll start with preparing a keystore file (named keystore.jks):

Generate keystore

bash

keytool -genkey -keystore keystore.jks -alias ssl -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048

Once you hit enter, you'll be asked to provide some basic information like password, organization, country, state code etc.

Step 2: Create Certificate Signing Request (CSR)

The next step is to create a Certificate Signing Request (CSR) from the created keystore to share with the Certificate Authority (CA) to sign and generate the primary/server certificate.

Generate CSR

bash

keytool -certreq -alias ssl -keystore keystore.jks -file yourcertfile.csr

We need to provide the correct alias name and the password which we mentioned during the creation of the keystore in order to extract the certificate request. Submit the generated CSR to any of the CA, which is supported by the SSL community.

Step 3: Import Signed Certificate

Once the CA signed the certificate and shared it with us, we need to import the certificate to the keystore for the private key entry we created.

Import signed certificate

bash

keytool -import -alias ssl -keystore keystore.jks -file yourcertfile.crt

Step 4: Import Intermediate CA Certificate

At the end we'll have to import Intermediate CA Certificate to an existing Java Keystore:

Import intermediate CA

bash

keytool -import -trustcacerts -alias root -file cacertificate.cer -keystore keystore.jks

Alternative: Converting from PEM Files

If you already have PEM certificate files, you can convert them to JKS:

Convert PEM to JKS

bash

# First convert to PKCS12
openssl pkcs12 -export -in certificate.crt -inkey private.key \
  -out certificate.p12 -name storm -CAfile ca.crt -caname root

# Then convert to JKS
keytool -importkeystore -deststorepass password \
  -destkeystore certificate.jks -srckeystore certificate.p12 \
  -srcstoretype PKCS12 -srcstorepass password

Using in Configuration

Once you have your JKS file, configure it in your VHost:

VHost SSL configuration

xml

<VHost host="*" isSSL="true" port="443">
    <Protocols>HTTP, WEBSOCKETS</Protocols>
    <SSL>
        <CertPath>/path/to/keystore.jks</CertPath>
        <CertPassword>your_password</CertPassword>
    </SSL>
</VHost>

Support Needed?

If you have any questions or need assistance, please create a support ticket and our team will help you.