Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. Before you can create your CSR, you need to create your Java keystore. Your Java keystore contains your private key. Run the following command to create your 2048 bit Java keystore: keytool -genkey -alias myalias -keyalg RSA –keysize 2048 -keystore c:yoursite.keystore 2. Note the alias you use here to create the keystore.

To Use keytool to Create a ServerCertificate

Run keytool to generate a new key pair in the defaultdevelopment keystore file, keystore.jks. This exampleuses the alias server-alias to generate a new public/privatekey pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated by using an algorithm oftype RSA, with a default password of changeit. For moreinformation and other examples of creating and managing keystore files, readthe keytool online help at http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.

RSA is public-key encryption technology developed by RSA DataSecurity, Inc.

From the directory in which you want to create the key pair, run keytool as shown in the following steps.

1. Generate the server certificate.

   Type the keytool command all on one line:

   When you press Enter, keytool prompts you to enterthe server name, organizational unit, organization, locality, state, and countrycode.

   You must type the server name in response to keytool’sfirst prompt, in which it asks for first and last names. For testing purposes,this can be localhost.

   When you run the example applications, the host (server name) specifiedin the keystore must match the host identified in the javaee.server.name property specified in the file tut-install/examples/bp-project/build.properties.

2. Export the generated server certificate in keystore.jks intothe file server.cer.

   Type the keytool commandall on one line:

3. If you want to have the certificate signed by a CA, read the exampleat http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.

4. To add the server certificate to the truststore file, cacerts.jks, run keytool from the directory where you createdthe keystore and server certificate.

   Use the following parameters:

   Information on the certificate, such as that shown next, will appear:

5. Type yes, then press the Enter or Return key.

   The following information appears:

Keytool Generate Certificate

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

• Generate a Java keystore and key pair
• Generate a certificate signing request (CSR) for an existing Java keystore
• Import a root or intermediate CA certificate to an existing Java keystore
• Import a signed primary certificate to an existing Java keystore
• Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)

Java Keytool Commands for Checking

Keytool Generate Certificate And Private Key

If you need to check the information within a certificate, or Java keystore, use these commands.

• Check a stand-alone certificate
• Check which certificates are in a Java keystore
• Check a particular keystore entry using an alias

Other Java Keytool Commands

Keytool Generate Certificate From Private Key To Computer

• Delete a certificate from a Java Keytool keystore
• Change a Java keystore password
• Export a certificate from a keystore
• List Trusted CA Certs
• Import New CA into Trusted Certs

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Originally posted on Sun Jul 13, 2008