I’ve spent most of the past two days working on a little project at work that needs the ability to generate Java JKS keystore files (compatible with the Java keytool program) containing X.509 certificates signed by a private certificate authority.

If you think that sounds simple, then you’ve obviously never worked with X.509.

This turns out to be astoundingly difficult, largely because X.509 is insane. It doesn’t help that Sun’s keytool program is missing a lot of functionality–if you want to rename keys or extract the private keys from the keystore file, then you’ll need to resort to coding it in Java. It’s also really hard to find usable certificate authority software. I’ve been looking for it at least 8 years for a complete open-source corporate CA! There are lots of partial solutions out there, but none of the ones that I’ve used have actually been able to solve all of the problems that I’ve needed solved. I’ve always fallen back on scripting openssl directly, and that always requires a day or so of digging through OpenSSL documentation to find the right incantations to get it to work.

In the end, all I needed to do was run openssl 3 times per key generated (make key, sign key, convert to PKCS#12), then run a bit of Java code out of Jetty to convert the PKCS#12 key to a format that keytool can read. Don’t ask why I had to drag Jetty into the picture–that’s like requiring Apache in order to get your version control software to compile or something–it just doesn’t make any sense. Sigh.

For future reference, here are a few useful references: