Key management
Java Keytool

Create Java KeyStore

5min

This section uses Java keytool commands to generate a new key pair on the , create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java KeyStore.

Perform the following tasks to ensure that you can use jarsigner and the signed certificate to sign a JAR file in the next section:

  1. Generate a server key pair and self-signed certificate.
  2. Generate and export a CSR.
  3. Import a CA root certificate.
  4. Import the server certificate signed by the CA.

Because the JDK 8 installation includes keytool, you can run the commands without additional configuration.

1 | Generate a server key pair and self-signed certificate

1

Execute the following command:

-alias sets a name to identify the key pair and certificate to be generated. It can be any name (for example, JarSignerDemo).

Shell

2

When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password, which all subsequent keytool and jarsigner commands use:

Text


2 | Generate and export a CSR

1

To generate and export a CSR, run the following command:

Shell

2

Enter the KeyStore password.

3

Send the CSR to a third-party or internal CA to get it signed.

The CA returns the server certificate and CA certificate for you to import.

3 | Import a CA root certificate

1

To import the CA root certificate, run the following command:

Shell

2

Enter the KeyStore password.

3

When prompted to trust the certificate, enter Yes as shown in the following example:

Shell


4 | Import a server certificate signed by CA

1

To import the signed server certificate, run the following command:

Shell

2

Enter the KeyStore password.

If the command was successful, you should see an output similar to the following:

Shell