Create Java KeyStore
This section shows how to use the Java keytool commands to generate a new key pair on the Vectera Plus, create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java keystore.
These steps ensure that you can use APKSigner and the signed certificate to sign an APK file in the next section.
The keytool application is included in the JDK installation, so you can run the keytool commands in this section with no additional configuration.
Execute the following command:
The -alias field sets a name to identify the key pair and certificate to be generated. It can be any name (for example, apksignerdemo).
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
When prompted, answer questions about the server certificate shown in the following example, which all keytool and jarsigner commands moving forward use:
To generate and export a CSR, run the following command:
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Get the CSR signed by a CA, either third-party or internal.
After it is signed, the server certificate returned by the CA is imported along with the CA certificate.
To import the CA root certificate, run the following command:
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
When prompted to trust the certificate, enter Yes.
To import the signed server certificate, run the following command:
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
If the command succeeds, you should see an output similar to the following: Certificate reply was installed in keystore.