To Create a CSR with keytool and Generate a SignedCertificate for the Certificate Signing Request
Perform the following operations from the command line.
Generate the Certificate Signing Request.
Generate a signed certificate for the associated Certificate SigningRequest.
Use the keytool to import the CA certificate into the client keystore.
Use the keytool to import the signed certificate for the associatedclient alias in the keystore.
Caution –The following error will be generated if there is no certificatechain in the client certificate.
This error is because the CA’s certificate was not imported intothe KeyStore first. You must import theCA's certificate (step 4), then import the client.cer file itself to forma certificate chain (step 5).
Now that we have a private key and an associating certificate chainin the KeyStore clientkeystore, we canuse it as a KeyStore for client (adapter)authentication. The only warning is that the CA certificate must be importedinto the trusted certificate store of the web server to which you will beconnecting. Moreover, the web server must be configured for client authentication(httpd.conf for Apache, for example).
While we create a Java keystore, we will first create the.jks file that will initially only contain the private key using the keytool utility. 1 keytool -genkey -keystore keystore.jks -alias ssl.
Keytool Create Jks
- Using the Java keytool program, run the following commands Export the.der file keytool -export -alias sample -file sample.der -keystore my.jks Convert the.der file to unencrypted PEM (crt file).
- The default is domain-dir/config. Generate the certificate in the keystore file, keystore.jks,using the following command format: keytool -genkey -alias keyAlias-keyalg RSA -keypass changeit -storepass changeitkeystore keystore.jks. Use any unique name as your keyAlias.