SSL Cheatsheet

SSL Cheatsheet for Java

Posted: Mon 08 Jan, 2018, 12:07
Every time I have an SSL certificates issue, I find myself having to re-learn all the terminology and concepts. It's an area of development that is reasonably complicated and yet infrequently used - the worst possible combination because it takes ages to get back to speed again. So this is my cheatsheet to help me get back up the learning curve a bit quicker next time, and may be of use to others as well.

It almost certainly has some errors, so please let me know if you spot anything.


Private keyIs a cryptographic key that uniquely identifies an individual.
CertificateBinds a cryptographic key to an organisations details.
TruststoreA store of certificates of trusted Certificate Authorities. Provided with a JRE, but often amended to include corporation specific CAs. These are the CA's for the sites you are doing to trust.
KeystoreContains a private key and certificate for use doing client-certificate authentication (called two-way SSL sometimes).


PEM - ASCII format for certificates and/or private key. Can contain more than one per file. See doc

P12 - A binary container format for multiple cryptographic artifacts. It is often used to hold a users private key and their user certificate.

CRT - CRT is a file extension for a digital certificate file used with a web browser

JKS - A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.



openssl is a required tool that is used for generating and converting all manner of SSL related formats - of which there are many. Here are a few examples related to key management:

To check private key contents:

openssl pkcs12 -in dmcert.p12 -info

To generate a PEM private key from a P12 with no password challenge:

openssl pkcs12 -out dmcert.pem -in dmcert.p12 -nodes

To generate a P12 from a PEM do:

openssl pkcs12 -export -in dmcert.pem -out dmcertgen.p12

And some examples to do with certificates, to validate and view the contents of a certificate do:

openssl x509 -in my-org.pem -text

To convert a PEM certification to CRT format do:

openssl x509 -in my-org.pem -out my-org.crt

To generate a list of PEM CA certificates from a P12 file list:

openssl pkcs12 -in cacerts.p12 -nokeys -out cacerts.pem

To extract a key from a P12 file and convert to RSA format do:

openssl pkcs12 -in dmcert.p12 -clcerts -nodes -nocerts | openssl rsa -out dmcert.key

To create a p12 from a separate key and certificate file:

openssl pkcs12 -export -out dmcert.p12 -inkey dmcert.key -in dmcert.crt


keytool is a JRE provided tool for generating keystores, either truststores or private key stores.

To list the contents of a keystore:

keytool -list -v -keystore truststore.jks

To list trusted CAs:

keytool -storepass changeit -list -v -keystore truststore.jks | egrep Owner

To add a CA's PEM to your existing truststore:

keytool -noprompt -trustcacerts -importcert -storepass changeit -file newca.pem -alias newca -keystore truststore.

To convert a JKS file (of trusted CA certs) to a P12 file:

keytool -importkeystore -srckeystore cacerts -destkeystore cacerts.p12 -deststoretype PKCS12

SSL with Java

Java requires the following properties to be set for SSL:

PropertyDescription location of your trust store (defaults to jre/lib/certs) password for the truststore (often changeit) location of your private key store in jks or p12 format. keystore password of the keystore, set to PKCS12 if provideding a raw p12 file

The keystores are required if making an SSL connection to a server that expects to authenticate client using their SSL certifcates. This document is very useful if debugging SSL connections: