Create Java KeyStore

5min
This section uses Java keytool commands to generate a new key pair on the , create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java KeyStore.
Perform the following tasks to ensure that you can use jarsigner and the signed certificate to sign a JAR file in the next section:
Generate a server key pair and self-signed certificate.
Generate and export a CSR.
Import a CA root certificate.
Import the server certificate signed by the CA.
Because the JDK 8 installation includes keytool, you can run the commands without additional configuration.
1 | Generate a server key pair and self-signed certificate
1
Execute the following command:
-alias sets a name to identify the key pair and certificate to be generated. It can be any name (for example, JarSignerDemo).
Shell
keytool -genkeypair -keyalg RSA -keysize 2048 -alias JarsignerDemo -keystore NONE -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -ext extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
keytool -genkeypair -keyalg RSA -keysize 2048 -alias JarsignerDemo -keystore NONE -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -ext extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
﻿
2
When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password, which all subsequent keytool and jarsigner commands use: 
Text
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
﻿
2 | Generate and export a CSR
1
To generate and export a CSR, run the following command:
Shell
keytool -certreq -alias JarsignerDemo -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -certreq -alias JarsignerDemo -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
Send the CSR to a third-party or internal CA to get it signed.
 The CA returns the server certificate and CA certificate for you to import.
3 | Import a CA root certificate
1
To import the CA root certificate, run the following command:
Shell
keytool -import -trustcacerts -alias JarsignerDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -import -trustcacerts -alias JarsignerDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
When prompted to trust the certificate, enter yes as shown in the following example:
Shell
Trust this certificate?
[no]: yes

Certificate was added to keystore.
Trust this certificate?
[no]: yes

Certificate was added to keystore.
﻿
4 | Import the server certificate signed by CA
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias JarsignerDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -importcert -alias JarsignerDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
If the command was successful, you should see an output similar to the following example:
Shell
Certificate reply was installed in keystore.
Certificate reply was installed in keystore.
﻿
﻿
Updated 19 Sep 2024
Did this page help you?
Edit the Futurex PKCS #11 Configuration File
Jarsigner command examples