My own journey into the Setup of Networking and Code Security Including Installing Root and Class 3 Certificates for Java (2019)

Basic Assumptions

You should be familiar with your desktop environment, whether Mac, Linux or Windows. You know how to set the path to the correct [JAVA_HOME]/bin directory for the JDK or JRE. You can compile in Java and have at least the ability to modify some code. We'll be working from C:\java -- as such you should have c:\java\;c:\Program Files\JDK_x_x_x\bin at the beginning of your PATH environment variable. You've had at least a little experience with security or have read a little on the subject. We're all standing on the shoulders of giants; of computing, of mathematics, of other disciplines.

Installing Root and Class 3 Certificates -- Installing a 3rd Party Provider

I use Certifying Authority, but they aren't included in the default Windows/Mac/Linux environments, so on my machine I need to install the root certificates into their respective Java Development Kit, or alternatively Java Runtime Environment. I recommend the use of the Java Development Environment, as then you're prepared for anything. Consequently you'll want to have a suitable development environment, if not just the start to one, I use NetBeans but whatever IDE will allow a project from existing sources will do. All the code on these pages will compile and run, its just the build, run, test, process can be a little overwhelming sometimes with different Version Errors. Mine includes the application to install Root and Class 3 certificates, into all possible stores out there. It needs to be run each time I set up my computer after I've installed Java or have a major Java change. I know if I've had a major Java change if the software I've created stops functioning correctly then I know something needs fixing. installs the certificates into all JDK/JRE combinations; other providers may require it also, so I can modify it if need be; --  most CA's charge real dollars for their services, is free. If you use the included software, the certificates will be saved to their default locations (C:\Users\<user>\Downloads\), all of these commands will work on Windows 7. Other operating systems may need some modification to paths and commands and, but should be fairly similar. will download the CACert certificates for you, otherwise you will need to do that. Other operating systems may vary, but not by much and always in consistent ways;

You may install the root chains now by creating the directory c:\java\ and downloading the file into there. Note that you will need the Java home directory in your path and InstallRootChains needs to be run as an Administrator, so on Windows, you need to click the right mouse button  overtop of the Command Prompt Button while holding down the Shift key on the keyboard and then select "Run as Administrator". On Windows 7 you can access that by going to "Start->:All Programs:->Accessories:->Command Prompt", and then right-Shift clicking that and finally, "Run as administrator". Then type the following commands or copy and paste them.

Now supports both cacerts and jssecacerts files So it will first add the certificates to cacerts and then copy to jssecerts. To disable that functionality, comment out lines 32 and 47.

    if (copy(cacerts,jssecacerts)) System.out.println("Duplicated cacerts to: " + jssecacerts);

To run, download to C:\java and then in an Administrator command prompt.

cd \java
java InstallRootChains

The output will be something like this, except relative to your system. These are the commands being executed; if you prefer, you may run it non-privileged and then copy/paste these commands one at a time:. The correct function will only occur if executed as admin or sudo regardless of whether run as a Java App or by executing as privileged user.It's just as an app, it's easier to do. Note** the difference in user from Tim to your name and the versions of the Java Development Kit and Runtime Environment will vary dependent upon the state of your system.

Code Output

Setup Your Private Keystore and the Keystores for Client and Server

Use keytool to create your keystore and generate a csr for the server. Note that for, your Common Name must be equal to your domain name. Mine is; you'll need to adjust your command line to reflect that change, your provider may have different requirements. The parts that need to be changed have been highlighted in the red text color.

* KEYSTORE / TRUSTSTORE Generation, Execute one at a time, (there will be prompts); use CSR's at your signing authorities (your CA) for certificates.
Create your server key and a certificate signing request. This is the certificate for your web server and backend apps/API's. Server keys expire every two years with Also your Common Name where you usually enter your First and Last Names, for, should be your domain name, ie:

keytool -genkey  -alias  -keystore c:\java\keystore_private -keyalg RSA -keysize 2048 -validity 1330
keytool -certreq -alias  -keystore c:\java\keystore_private -file c:\java\

Now obtain your certificate through your signing Certificate Authority (CA). And then import your certificate, in my case from so I need to install their certificates also, so I'll do that now, everywhere I need it.

That's a root and class 3 certificate, each, in each key and trust store where they may be needed. In my case, that's in keystore_private, keystore_server and keystore_client in the c:\java directory.

keytool -import  -alias cacert_class3  -keystore c:\java\keystore_private -file D:\Users\Tim\Downloads\class3_X0E.crt -trustcacerts
keytool -import  -alias cacert_root    -keystore c:\java\keystore_private -file D:\Users\Tim\Downloads\root_X0F.crt   -trustcacerts
keytool -import  -alias cacert_class3  -keystore c:\java\keystore_server  -file D:\Users\Tim\Downloads\class3_X0E.crt -trustcacerts
keytool -import  -alias cacert_root    -keystore c:\java\keystore_server  -file D:\Users\Tim\Downloads\root_X0F.crt   -trustcacerts
keytool -import  -alias cacert_class3  -keystore c:\java\keystore_client  -file D:\Users\Tim\Downloads\class3_X0E.crt -trustcacerts
keytool -import  -alias cacert_root    -keystore c:\java\keystore_client  -file D:\Users\Tim\Downloads\root_X0F.crt   -trustcacerts

And finally, my server certificate. Note that the root certificate chain must be installed to not get an error when installing the server certificate.

keytool -import  -alias  -keystore c:\java\keystore_private -file c:\java\

So at this point, we've installed all of the Root and Class 3 certificates and our own private server key and certificate. We want to keep this information private. We can publish the certificates, as these verify it's actually us, through the Root, Class 3 and C:\java\, in my case. If you are using or or another similiar provider, you will need to go through this process and keep your server key private. Otherwise anyone can say they are you. We don't want that. We want secure, private, authenticatable communications, free and clear between any two parties, across all borders. Unintrudable. secure, authenticated.

SSL For Your Own Code! [FIXED and UPDATED]

So, if you only want to get the SSL Code working, this is what you need at a minimum -- a self signed certificate.

Create your localhost server certificate This secures the communications running on this machine using 1-way SSL for our custom client/server software. You will only need to do this once every 10 years or whenever you set up your machine from scratch. Note the change in keystore to keystore_server.

keytool -genkey -alias localhost -keystore c:\java\keystore_server -keyalg RSA -keysize 2048 -validity 3650
keytool -export -alias localhost -keystore c:\java\keystore_server -file localhost.crt

If you've made it this far, you're doing great. Now we just need to setup the client side. Install the localhost certificate into the keystore. Note that the root certificates for are already done and that now we are using the keystore_client as the keystore.

keytool -import -alias localhost -file c:\java\localhost.crt -keystore c:\java\keystore_client

For 2-way SSL we also need a client certificate with a key, so we'll add that to the client's keystore. I suppose if you wanted, you could create the key for your client certificate through your certifying authority (CA) and be able to use that as a more personal identifier. We'll just use a self signed certificate in this case because it will be for the deployment and backup servers, although you should be able to use any certificate for which you have the private key. This identifies us to the server software. So you can enter whatever you want in this certificate and that's fine and we'll make that so it only needs to be done anytime you need to refer to this document, so probably only if you need to wipe or re-setup your machine.

keytool -genkey -alias client -keyalg RSA -keystore c:\java\keystore_client -validity 3650

We also need to export this client certificate and import it into the keystore_server so that the server can authenticate the client.

keytool -export -alias client -keystore c:\java\keystore_client -file client.crt
keytool -import -alias client -keystore c:\java\keystore_server -file client.crt

Setting Up Your Code Signing Certificate

They're free from with authentication.

Execute the following commands replacing for the parts in red, an example is given. Note the primary work is done in keystore_private. You'll want to keep that private.

keytool -genkey  -alias tdevries -keyalg RSA -keysize 2048  -keystore c:\java\keystore_private
keytool -certreq -alias tdevries -file c:\java\tdevries.csr -keystore c:\java\keystore_private

Now that you have a certificate signing request you can request your code signing certificate. Notice the change in the file used.

keytool -import  -alias tdevries -file c:\java\tdevries.crt -keystore c:\java\keystore_private -trustcacerts
keytool -import  -alias tdevries -file c:\java\tdevries.crt -keystore c:\java\keystore_public  -trustcacerts
keytool -import  -alias tdevries -file c:\java\tdevries.crt -keystore c:\java\truststore       -trustcacerts

You should now be set up for ssl public, ssl private, ssl private 2-way, and code signing. You can start verifying this with the jarsigner utility. You will need SSL enabled software to verify the remainder, please see below.

Signing Jars

Here you'll need to supply a jar, in my case, I've got one located here. I've signed it. It shows the directory the application is launched from. It's executable. It will not work on MacOS, you need to unpack and run from the terminal. This will change when jpackage gets released as then you would have an executable you can just run. I think they said the package would include a desktop icon, but I don't fully recall.

jarsigner -tsa -keystore c:\java\keystore_private D:\java\Runner.jar tdevries


jarsigner -tsa -keystore c:\java\keystore_private D:\java\Runner.jar tdevries

Verifying (using

jarsigner -verify -verbose -certs d:\java\Runner.jar

In my case it resolves to:

C:\Users\Tim>jarsigner -tsa -keystore c:\java\keystore_private D:\java\Runner.jar tdevries
Enter Passphrase for keystore:
jar signed.

The signer certificate will expire on 2021-11-03.
The timestamp will expire on 2030-08-01.

C:\Users\Tim>jarsigner -verify -verbose -certs D:\java\Runner.jar

s 173 Tue Nov 05 16:57:44 MST 2019 META-INF/MANIFEST.MF

>>> Signer
X.509,, CN=Timothy de Vries
[certificate is valid from 11/4/19, 7:17 PM to 11/3/21, 8:17 PM]
X.509, CN=CAcert Class 3 Root, OU=, O=CAcert Inc.
[trusted certificate]
X.509,, CN=CA Cert Signing Authority, OU=, O=Root CA
[trusted certificate]
>>> TSA
X.509, CN="Sectigo RSA Time Stamping Signer #1", O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
[certificate is valid from 5/1/19, 6:00 PM to 8/1/30, 5:59 PM]
X.509, CN=Sectigo RSA Time Stamping CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB [certificate is valid from 5/1/19, 6:00 PM to 1/18/38, 4:59 PM]

312 Tue Nov 05 16:57:44 MST 2019 META-INF/TDEVRIES.SF
10385 Tue Nov 05 16:57:44 MST 2019 META-INF/TDEVRIES.RSA
0 Thu May 24 11:08:14 MDT 2018 META-INF/
sm 907 Thu May 24 11:05:38 MDT 2018 Runner.class

[entry was signed on 11/5/19, 4:57 PM]
>>> Signer
X.509,, CN=Timothy de Vries
[certificate is valid from 11/4/19, 7:17 PM to 11/3/21, 8:17 PM]
X.509, CN=CAcert Class 3 Root, OU=, O=CAcert Inc.
[trusted certificate]
X.509,, CN=CA Cert Signing Authority, OU=, O=Root CA
[trusted certificate]
>>> TSA
X.509, CN="Sectigo RSA Time Stamping Signer #1", O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
[certificate is valid from 5/1/19, 6:00 PM to 8/1/30, 5:59 PM]
X.509, CN=Sectigo RSA Time Stamping CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
[certificate is valid from 5/1/19, 6:00 PM to 1/18/38, 4:59 PM]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore

- Signed by ", CN=Timothy de Vries"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN="Sectigo RSA Time Stamping Signer #1", O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB" on Tue Nov 05 23:57:42 UTC 2019
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 4096-bit key

jar verified.

The signer certificate will expire on 2021-11-03.
The timestamp will expire on 2030-08-01.


Verifying your SSL Setup

I won't go through setting up your server, as there are just too many different platforms and flavors of Operating Systems for that. However, if you get really stuck I'll do what I can to help you get to a working system -- on that you understand and can work with and one that works. Many of the different systems that I've tried I've been able to get working but maybe there's a better system out there -- one that works for every case.

So on your system, you'll need to follow the instructions for installing your server certificates. You would do this instead of following, say Let'sEncrypt's system and their's is as good as any production system available.

As they become more known to myself, you can probably expect a Java App for this. I'd at least get my own machines covered..

Verifying ssl... Via SSLServer, SSLClient, runProcess.bat

So you need to download all of the following files into the C:\java\ directory or folder, on Linux/MacOS, that's /java/.

Or you can download, compile and run and that will do the setup for you.

So your commands will be:

cd \java
java DoSSLExampleSetup

This will place the following files into their respective locations.

c:\java\ca\tecreations\system\ // this contains the various system paths

And then, you'll need to enter in your passwords for your keystores and truststores where appropriate where it says "tecreations" in both and, and if you've followed this setup so far, then you should be able to execute and modify the code as needed to produce your set of verifiable results.    Line 101:     System.setProperty("","tecreations");    Line 103:     System.setProperty("","tecreations");    Line 25:      System.setProperty("","tecreations");    Line 27:      System.setProperty("","tecreations");

Yes, I could present a gui and collect that data that way, but this is much simpler, you can do this right now and get a good understanding of the code, as opposed to me writing  a bunch more of code, that doesn't really help you understand what's going on. So, once this is completed, you may run buildSSL.bat followed by runServer.bat and then in another window runProcess.bat. You may also run and verify its' use by entering valid commands for the software. You can get an idea of what the commands look like in runProcess.bat. The valid commands so far are PUT src dest txt, GET src dest txt, GET_LIST /pathOffDocrootToList txt and 'exit'.

Something like:

    PUT c:\java\Runner.jar /serverDocrootPlusMe/Runner.jar http/REQUIRED_NOT_USED
    GET /serverDocrootPlusMe D:\java\Runner.jar http/REQUIRED_NOT_USED
    GET_LIST /serverDocrootPlusMe http/REQUIRED_NOT_USED
    exit // exits the app and kills the execution of the server application on the host on which it resides. // THESE Comments WILL CAUSE IT TO FAIL

You can see a working example in runProcess.bat.

Also See:

Corrections? Comments? Questions?

If this has helped you, maybe help me out with a little coin: bitcoin:35jUFvU9rupDiYxRLQ1H4SGBA5FJPhKXKA

Thank you for your time and contributions.