> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Java KeyStore

> Step-by-step guide using Java keytool to generate keys, CSR, and import certificates into a Java KeyStore with HSM integration.

This section uses Java **keytool** commands to generate a new key pair on the Vectera Plus, create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java KeyStore.

Perform the following tasks to ensure that you can use **jarsigner** and the signed certificate to sign a JAR file in the next section:

1. Generate a server key pair and self-signed certificate.
2. Generate and export a CSR.
3. Import a CA root certificate.
4. Import the server certificate signed by the CA.

<Note>
  Because the JDK 8 installation includes keytool, you can run the commands without additional configuration.
</Note>

## Generate a key pair and certificate

Perform the following steps to generate a server key pair and self-signed certificate:

<Steps>
  <Step>
    Execute the following command:

    <Note>
      -alias sets a name to identify the key pair and certificate to be generated. It can be any name (for example, JarSignerDemo).
    </Note>

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -genkeypair -keyalg RSA -keysize 2048 -alias JarsignerDemo -keystore NONE -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -ext extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
    ```
  </Step>

  <Step>
    When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password, which all subsequent **keytool** and **jarsigner** commands use:

    ```none expandable lines wrap title="None" theme={null}
    What is your first and last name?
    [Unknown]: www.example.com

    What is the name of your organizational unit?
    [Unknown]: Engineering

    What is the name of your organization?
    [Unknown]: Futurex

    What is the name of your City or Locality?
    [Unknown]: Bulverde

    What is the name of your State or Province?
    [Unknown]: TX

    What is the two-letter country code for this unit?
    [Unknown]: US

    Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
    [no]: yes
    ```
  </Step>
</Steps>

## Generate and export a CSR

Perform the following steps to generate and export a CSR:

<Steps>
  <Step>
    To generate and export a CSR, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -certreq -alias JarsignerDemo -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
    ```
  </Step>

  <Step>
    Enter the KeyStore password.
  </Step>

  <Step>
    Send the CSR to a third-party or internal CA to get it signed.

    <Check>
      The CA returns the server certificate and CA certificate for you to import.
    </Check>
  </Step>
</Steps>

## Import a CA root certificate

Perform the following steps to import a CA root certificate:

<Steps>
  <Step>
    To import the CA root certificate, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -import -trustcacerts -alias JarsignerDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
    ```
  </Step>

  <Step>
    Enter the KeyStore password.
  </Step>

  <Step>
    When prompted to trust the certificate, enter `yes` as shown in the following example:

    ```shell expandable lines wrap title="Shell" theme={null}
    Trust this certificate?
    [no]: yes

    Certificate was added to keystore.
    ```
  </Step>
</Steps>

## Import the server certificate

Perform the following steps to import the server certificate signed by CA:

<Steps>
  <Step>
    To import the signed server certificate, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -importcert -alias JarsignerDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
    ```
  </Step>

  <Step>
    Enter the KeyStore password.

    <Check>
      If the command was successful, you should see an output similar to the following example:

      ```shell expandable lines wrap title="Shell" theme={null}
      Certificate reply was installed in keystore.
      ```
    </Check>
  </Step>
</Steps>
