Page History

TLS Certificates and Java

Mark George edited this page on 27 Oct 2020

Clone this wiki locally

Self-signed certs, otherwise known as 'anonymous' TLS are totally derprecated in Java as at Java 8. We can still use one-way TLS (host-only) assuming we have a trusted, CA-signed certificate at the host.

We can use mkcert to generate the signed certificate for the host:

> mkcert localhost
> ls localhost*
localhost-key.pem  localhost.pem

The certificate/key pair need to be combined into a single PKCS #12 file:

openssl pkcs12 -export -in localhost.pem -inkey localhost-key.pem -name localhost > localhost.p12

Load the PKCS #12 file into the host process via the following Java system properties:

System.setProperty("", "/path/to/localhost.p12");
System.setProperty("", "password");

You can also pass this to Java via the command line using:

Java can use PKCS #12 files directly, so there no longer seems to be a need to use Java JKS keystore files any more. However, if you need a JKS for whatever reason then you can convert the PKCS #12 file into a JKS keystore using:

keytool -importkeystore -srckeystore localhost.p12 -destkeystore localhost.jks -srcstoretype pkcs12 -alias localhost