SSL Cheatsheet

SSL Cheatsheet for Java
Posted: Mon 08 Jan, 2018, 12:07

Every time I have an SSL certificates issue, I find myself having to re-learn all the terminology
and concepts. It’s an area of development that is reasonably complicated and yet infrequently
used - the worst possible combination because it takes ages to get back to speed again. So
this is my cheatsheet to help me get back up the learning curve a bit quicker next time, and
may be of use to others as well.

It almost certainly has some errors, so please let me know if you spot anything.


Term Description
Private key Is a cryptographic key that uniquely identifies an individual.
Certificate Binds a cryptographic key to an organisations details.
Truststore A store of certificates of trusted Certificate Authorities. Provided with a JRE, but often amended to include corporation specific CAs. These are the CA’s for the sites you are doing to trust.
Keystore Contains a private key and certificate for use doing client-certificate authentication (called two-way SSL sometimes).


PEM - ASCII format for certificates and/or private key. Can contain more than one per file. See doc

P12 - A binary container format for multiple cryptographic artifacts. It is often used to hold a users private key and their user certificate.

CRT - CRT is a file extension for a digital certificate file used with a web browser

JKS - A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.



openssl is a required tool that is used for generating and converting all manner of SSL related
formats - of which there are many. Here are a few examples related to key management:

To check private key contents:

openssl pkcs12 -in dmcert.p12 -info

To generate a PEM private key from a P12 with no password challenge:

openssl pkcs12 -out dmcert.pem -in dmcert.p12 -nodes

To generate a P12 from a PEM do:

openssl pkcs12 -export -in dmcert.pem -out dmcertgen.p12

And some examples to do with certificates, to validate and view the contents of a certificate do:

openssl x509 -in my-org.pem -text

To convert a PEM certification to CRT format do:

openssl x509 -in my-org.pem -out my-org.crt

To generate a list of PEM CA certificates from a P12 file list:

openssl pkcs12 -in cacerts.p12 -nokeys -out cacerts.pem

To extract a key from a P12 file and convert to RSA format do:

openssl pkcs12 -in dmcert.p12 -clcerts -nodes -nocerts | openssl rsa -out dmcert.key

To create a p12 from a separate key and certificate file:

openssl pkcs12 -export -out dmcert.p12 -inkey dmcert.key -in dmcert.crt


keytool is a JRE provided tool for generating keystores, either truststores or private key stores.

To list the contents of a keystore:

keytool -list -v -keystore truststore.jks

To list trusted CAs:

keytool -storepass changeit -list -v -keystore truststore.jks | egrep Owner

To add a CA’s PEM to your existing truststore:

keytool -noprompt -trustcacerts -importcert -storepass changeit -file newca.pem -alias newca -keystore truststore.

To convert a JKS file (of trusted CA certs) to a P12 file:

keytool -importkeystore -srckeystore cacerts -destkeystore cacerts.p12 -deststoretype PKCS12

SSL with Java

Java requires the following properties to be set for SSL:

Property Description The location of your trust store (defaults to jre/lib/certs) The password for the truststore (often changeit) The location of your private key store in jks or p12 format. The keystore password Format of the keystore, set to PKCS12 if provideding a raw p12 file

The keystores are required if making an SSL connection to a server that expects to authenticate client using
their SSL certifcates. This document is very useful if debugging SSL connections: