The Java keystore is powerful, yet not very user-friendly. While the Java documentation provides an OK reference on keystore commands, there are not many comprehensive examples out there.
So, here is a simple walkthrough on how to create your keystore containing your private key, your signed certificate, and the certificate of the CA that signed your certificate.
REM “Step 1: Create your store and your private/public key pair”
keytool -genkey -dname “cn=myhost,c=mycompany” -alias myhost -keypass z0Ld6#MdeR -validity 365 -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 2: Create a Certificate Signing Request (CSR)”
keytool -certreq -alias myhost -file myhost.csr -keypass z0Ld6#MdeR -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 3: Import CA certificate into keystore, and make it trusted”
keytool -import -alias myCA -file c:myca.cer -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 4: import my signed personal certificate”
keytool -import -file c:myhost.cer -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 5: list and verify certificates”
keytool -list -keystore mykeystore.jks -storepass kru6+Qb76_
- If you shall use the certificate for securing browser communication using SSL, make sure the common name (CN) is the fully qualified hostname of your server, e.g. myhost.domain.com.
- When it comes to choosing key length, use www.keylength.com as reference.
- Between step 2 and 3 above, you have to have the certificate signed by a certificate authority like VeriSign. Alternatively, you can set up your own CA in your company using OpenSSL or Windows Certificate Services
- Please do not use the same passwords as shown above. That would not be very wise…