So, here is a simple walkthrough on how to create your keystore containing your private key, your signed certificate, and the certificate of the CA that signed your certificate.

REM “Step 1: Create your store and your private/public key pair” keytool -genkey -dname “cn=myhost,c=mycompany” -alias myhost -keypass z0Ld6#MdeR -validity 365 -keystore mykeystore.jks -storepass kru6+Qb76_ REM “Step 2: Create a Certificate Signing Request (CSR)” keytool -certreq -alias myhost -file myhost.csr -keypass z0Ld6#MdeR -keystore mykeystore.jks -storepass kru6+Qb76_ REM “Step 3: Import CA certificate into keystore, and make it trusted” keytool -import -alias myCA -file c:\myca.cer -keystore mykeystore.jks -storepass kru6+Qb76_ REM “Step 4: import my signed personal certificate” keytool -import -file c:\myhost.cer -keystore mykeystore.jks -storepass kru6+Qb76_ REM “Step 5: list and verify certificates” keytool -list -keystore mykeystore.jks -storepass kru6+Qb76_

Comments:

• If you shall use the certificate for securing browser communication using SSL, make sure the common name (CN) is the fully qualified hostname of your server, e.g. myhost.domain.com.
• When it comes to choosing key length, use www.keylength.com as reference.
• Between step 2 and 3 above, you have to have the certificate signed by a certificate authority like VeriSign. Alternatively, you can set up your own CA in your company using OpenSSL or Windows Certificate Services
• Please do not use the same passwords as shown above. That would not be very wise…