> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Java KeyStore

> Step-by-step guide to generate a key pair using Java keytool for later JAR signing.

This section uses Java **keytool** to generate a new key pair on the CryptoHub, which you can use later to sign a JAR file with the Java **jarsigner** utility. On **FXPKCS11 6.0 rev dc27 or later**, this single command generates the key pair on the CryptoHub and produces a usable `PrivateKeyEntry` with no CryptoHub UI step.

<Note>
  The JDK installation includes the `keytool` application that enables you to run the `keytool` commands in this section with no additional configuration.
</Note>

## Generate a key pair

Perform the following steps to generate a key pair on the CryptoHub:

<Steps>
  <Step>
    Export **FXPKCS11\_CFG** so the Futurex PKCS #11 library can locate its configuration file (`fxpkcs11.cfg`). Point it at the `fxpkcs11.cfg` you configured in [Install and configure Futurex PKCS #11](/Integrations/CryptoHub/Code_signing/Java_Jarsigner/Install_and_configure_Futurex_PKCS_11):

    ```shell expandable lines wrap title="Shell" theme={null}
    export FXPKCS11_CFG=/etc/fxpkcs11.cfg
    ```

    <Note>
      On Windows, set `FXPKCS11_CFG` as a machine-wide variable with `setx` instead (see [Configure SunPKCS11 to use the Futurex PKCS11 module](/Integrations/CryptoHub/Code_signing/Java_Jarsigner/Configure_SunPKCS11_to_use_the_Futurex_PKCS11_module)). If you set `fxpkcs11.cfg` in its default location, this step is not required.
    </Note>
  </Step>

  <Step>
    Execute the following command, passing the `pkcs11.cfg` file you created in the previous section with `-providerArg`. Set `-alias` and `-dname` to a value that identifies this signing key:

    ```text expandable lines wrap title="Text" theme={null}
    keytool -genkeypair -alias jarsigner-demo -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=jarsigner-demo, O=Futurex" -validity 365 -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /usr/local/etc/pkcs11.cfg -providerName SunPKCS11-Futurex -ext extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
    ```

    <Check>
      The keytool application generates the key pair on the CryptoHub and self-signs a certificate for it. With no `-storepass` on the command line, keytool prompts for the KeyStore password.
    </Check>
  </Step>

  <Step>
    When prompted for the KeyStore password, enter the CryptoHub identity password (PKCS #11 PIN) configured inside the `<CRYPTO-OPR-PASS>` tag in the `fxpkcs11.cfg` file.
  </Step>
</Steps>

## Verify the key pair

Run the following **keytool** command to confirm the key pair generated on the CryptoHub and lists a `PrivateKeyEntry`:

```shell expandable lines wrap title="Shell" theme={null}
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /usr/local/etc/pkcs11.cfg -providerName SunPKCS11-Futurex
```

<Check>
  The response is similar to the following:

  ```shell expandable lines wrap title="Shell" theme={null}
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-Futurex

  Your keystore contains 1 entry

  jarsigner-demo-1784141140:jarsigner-demo, PrivateKeyEntry,
  Certificate fingerprint (SHA-256): 0E:79:5C:23:06:13:91:42:C8:3A:F7:52:4F:3A:F0:0A:66:28:79:E1:BB:A5:AA:F0:69:B0:AB:EA:F8:54:00:16
  ```
</Check>

<Warning>
  The CryptoHub assigns the on-token key its own alias in the form `<alias>-<id>:<alias>` (for example, `jarsigner-demo-1784141140:jarsigner-demo`), where `<id>` is generated per key. This alias, not the short `-alias` value you passed to `keytool -genkeypair`, is what **jarsigner** and other tools must reference. Copy the exact alias from this `keytool -list` output for the signing commands in [Jarsigner command examples](/Integrations/CryptoHub/Code_signing/Java_Jarsigner/Jarsigner_command_examples).
</Warning>
