Generating Client Certificate

To generate client certificate:

$ keytool -genkey \
    -keystore client-cert.jks \
    -storepass Secret.123 \
    -keyalg RSA \
    -keypass Secret.123 \
    -alias client \
    -dname "UID=testuser,O=EXAMPLE"

To export client certificate:

$ keytool -export \
    -keystore client-cert.jks \
    -storepass Secret.123 \
    -alias client \
    -rfc \
    -file client.crt

To trust client certificate:

$ keytool -import \
    -keystore server-trust.jks \
    -storepass Secret.123 \
    -alias client \
    -file client.crt

Generating Server Certificate

$ keytool -genkey \
    -keystore server-cert.jks \
    -storepass Secret.123 \
    -keyalg RSA \
    -keypass Secret.123 \
    -alias server \
    -dname "CN=$HOSTNAME,O=EXAMPLE"

To export server certificate:

$ keytool -export \
    -keystore server-cert.jks \
    -storepass Secret.123 \
    -alias server \
    -rfc \
    -file server.crt

To trust server certificate:

$ keytool -import \
    -keystore client-trust.jks \
    -storepass Secret.123 \
    -alias server \
    -file server.crt

Debugging

To debug JSSE, set the following Java system property:

• javax.net.debug: all

To debug JSSE in Tomcat, set the following variable in /etc/sysconfig/:

JAVA_OPTS="-Djavax.net.debug=all"

References

• JEP 332: Transport Layer Security (TLS) 1.3

• JDK-8202625 : TLS 1.3 Implementation

• JSS

• Java Secure Socket Extension (JSSE) Reference Guide

• keytool