Generate Key Pairs and Certificates

For SSL operation, the server always needs a key pair. In general, fpr one end of the communication to authenticate its partner, the first end needs to install a certificate generated by the partner.

If the server runs in peer authentication mode (the server authenticates the clients), then each client needs its own key pair. The key pair is located in a file which is called a key store and the JDK's SSL provider needs the system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword to access the key store.

The certificates of trusted parties are installed in a file called a trust store. The JDK's SSL provider needs the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to access the trust store.

Generate Key Pairs

Key pairs are generated with keytool -genkey. The simplest way to generate a key pair is to do the following:

keytool -genkey <alias> -keystore <keystore>

keytool prompts for needed information like identity details and passwords.

For example, to generate the server key pair:

keytool -genkey -alias myGemFireXDServer -keystore serverKeyStore.key

Generate a client key pair:

keytool -genkey -alias aGemFireXDClient -keystore clientKeyStore.key

Consult the JDK documentation for more information on keytool.

Generate Certificates

Generate certificates with keytool -export as follows:

keytool -export -alias <alias> -keystore <keystore> \
        -rfc -file <certificate file>

For example, to generate a server certificate:

keytool -export -alias myGemFireXDServer -keystore serverKeyStore.key \
        -rfc -file myServer.cert

Generate a client certficate:

keytool -export -alias aGemFireXDClient -keystore clientKeyStore.key \
        -rfc -file aClient.cert

The certificate file may then be distributed to the relevant parties.

Install Certificate in a Trust Store

Install a certificate in a trust store with keytool -import as follows:

keytool -import -alias <alias> -file <certificate file> \
        -keystore <trust store>

Install a client certificate in the server's trust store:

keytool -import -alias aGemFireXDClient -file aClient.cert 
        -keystore serverTrustStore.key

Install the server certificate in a client's trust store:

keytool -import -alias myGemFireXDServer -file myServer.cert 
        -keystore clientTrustStore.key