Create Java keystore

5min
In this section, you use Java keytool commands to generate a new key pair on the , create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and accompanying CA certificate into a Java keystore. 
These tasks enable you to use the signed certificate to sign a JAR file by using jarsigner in the next section.
Because the keytool application is part of the JDK 8 installation, you don't need extra configuration to run the commands in this section.
1 | Generate a server key pair and self-signed certificate
Run the following command to generate the key pair and certificate:
The -alias field sets a name to identify the key pair and certificate being generated. It can be any name (such as JarsignerDemo).
Shell
keytool -genkeypair -keyalg RSA -keysize 2048 -alias JarsignerDemo -keystore NONE -storetype
PKCS11 --providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -ext
extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
keytool -genkeypair -keyalg RSA -keysize 2048 -alias JarsignerDemo -keystore NONE -storetype
PKCS11 --providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -ext
extendedKeyUsage=codeSigning -ext KeyUsage=digitalSignature
﻿
When you run the preceding command, the keytool application prompts you for information about the server certificate you want to generate, as shown in the following sample: 
Text
Enter the KeyStore password: (The password that you set here will be used in all keytool and jarsigner commands moving forward.)
What is your first and last name?
  [Unknown]:  www.example.com

What is the name of your organizational unit?
  [Unknown]: Engineering

What is the name of your organization?
  [Unknown]:  Futurex

What is the name of your City or Locality?
  [Unknown]:  Bulverde

What is the name of your State or Province?
  [Unknown]:  TX

What is the two-letter country code for this unit?
  [Unknown]:  US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
  [no]:  yes
Enter the KeyStore password: (The password that you set here will be used in all keytool and jarsigner commands moving forward.)
What is your first and last name?
  [Unknown]:  www.example.com

What is the name of your organizational unit?
  [Unknown]: Engineering

What is the name of your organization?
  [Unknown]:  Futurex

What is the name of your City or Locality?
  [Unknown]:  Bulverde

What is the name of your State or Province?
  [Unknown]:  TX

What is the two-letter country code for this unit?
  [Unknown]:  US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
  [no]:  yes
﻿
2 | Generate and export a CSR
1
Execute the following command:
Shell
keytool -certreq -alias JarsignerDemo -file example.csr -keystore NONE -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
keytool -certreq -alias JarsignerDemo -file example.csr -keystore NONE -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
﻿
2
Enter the keystore password.
3
Use either a third party or internal CA to sign the CSR.
3| Import the CA Root certificate
Run the following command to import the certificate:
1
Shell
keytool -import -trustcacerts -alias JarsignerDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
keytool -import -trustcacerts -alias JarsignerDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
﻿
Shell
Enter KeyStore password:

Trust this certificate?
   [no]: yes

Certificate was added to KeyStore
Enter KeyStore password:

Trust this certificate?
   [no]: yes

Certificate was added to KeyStore
﻿
4 | Import the certificate signed by CA
Run the following command to import the signed certificate:
1
Shell
keytool -importcert -alias JarsignerDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
keytool -importcert -alias JarsignerDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providername "Futurex" -providerclass "fx.security.pkcs11.SunPKCS11"
﻿
Shell
Enter the KeyStore password: 

Certificate reply was installed in KeyStore.
Enter the KeyStore password: 

Certificate reply was installed in KeyStore.
﻿
﻿
﻿
﻿
﻿
﻿
﻿
Updated 29 Aug 2024
Did this page help you?
Edit the Futurex PKCS #11 configuration file
Use the jarsigner command