Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Generate a key pair for the server/service. 

$ keytool -genkey -alias server -keyalg RSA -keystore ./Server.jks

alias = name of the keystore alias, for example, server 
keystore = name of the keystore, for example, server.jk
When prompted for first and last name the hostname where the certificate is valid should be entered other values can be anything.

Generate a Certificate Signing Request (CSR) so that we can get server's certificate get signed by a CA.


$ keytool -certreq -alias server -keystore Server.jks -file Server.csr


Get the certificate signed by our the CA, Test CA in these example. See this page on how to set up a CA.


$ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Server.csr -out Server.cer -days 365

CA, CAkey and CAserial are files generated when setting up the CA.

Import the Test CA's root self signed certificate in server key store as a trusted certificate.

$ keytool -import -alias TestCA -file caroot.cer -keystore Server.jks

Import server's certificate signed by Test CA in server key store with the same alias name that was used to generate the key pair during genkey.

$ keytool -import -alias server -file Server.cer -keystore Server.jks




  • No labels