I'm building a Java Client-Server application. The client will communicating with the Server through SSL. I want to achive that the client needs to be authenticate itself. I mean use a keystore or whatever, but this topic is really new to me.

So my question would be, how can I generate a Client and a Server side Keystore (if that's what it's called) and self sign it. From here I can do the rest.

What I have:

keytool -genkeypair -alias test -keystore test.store -storepass StorePass -validity 365 -keyalg RSA -keysize 2048 -dname "CN=TestCompany Ltd., OU=TestCompany Developments, O=TestCompany Ltd., L=MyCity, S=MyState, C=HU" -storetype jks

keytool -keystore test.store -certreq -alias test -keyalg rsa -file test.csr

I think now I need to self-sign the test.csr, right? But what will be this? Should be this used on the Server or the Client side?

And there again on the server side there should be a Keystore which only contains the certificate, but not the private key? Or how does this work? :)

Thanks for any help in advance!

You've generated a CSR. Certificate Signing Request. So, you need somebody to sign it. If you just want a self-signed certificate, use the -selfcert option.

On the server side you need a keystore file containing both the private key and the signed certificate, under the same alias.

On the client side top you need either:

• a truststore containing the self-signed certificate, if you do that, or
• a truststore containing the CA certificate or its root, if you have it CA-signed, and Java already comes with ones of these.