Latest Release‎ > ‎Developer HowTos‎ > ‎

How to make a Java key store

A Java keystore is needed to sign the jar file created by the GridShib-CA so that Java Web Start will give it the permissions it needs to function. These directions provide one method of creation the keystore. There are almost certainly others.

WARNING: A number of java applications echo passwords to the screen as they are typed, so be aware of this as you proceed and be wary of doing this process in a public place.


To use these directions, you will need the following.

Creating the key store

Assuming you have your public and private keys in ~/.globus/usercert.pem and ~/.globus/userkey.pem respectively, run the following command to create your keystore in ~/.keystore which is where the GridShibCA jar signing process will look for it by default (this can be changed with the --with-jarsigner-keystore option to configure).
% openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem \
                 -name default -out ~/.keystore
You'll be asked for the password on your existing private key. Then you will be asked for an "Export Password"  which is a new password you will create to protect the keystore. Don't use an existing password for the Export Password as you'll need to put this password into a file for the GridshibCA to use to sign the jar during the build process. By default this file is ~/.keystore-password but this can be changed with the --with-jarsigner-password-file option to configure.

% echo my-export-password > ~/.keystore-password

Alternate method using Sun's "keytool" program

If you have Sun's Java Development Kit (JDK) installed, you can create a key store containing a self-signed certificate by using the "keytool" program.  You need to decide on a DN (distinguished name) for your certificate.  For this example we will use the DN ',O=My Site,L=Springfield,ST=Illinois,C=US'.  Note that you will need to quote the DN string if any of the fields contain spaces, but do not add spaces before/after commas.

% keytool -genkeypair -v -alias default -keystore ~/.keystore -storetype pkcs12 \
          -dname ',O=My Site,L=Springfield,ST=Illinois,C=US' \
          -validity 1095 -storepass mypassword
As before, you need to put the key store password into the appropriate location.
% echo mypassword > ~/.keystore-password