/
Creating Server Keystore and Certificate

Creating Server Keystore and Certificate

Jun 15, 2023

After generating the CA, the next step is to generate a key pair for the server/service.

  1. Run the following command:

    $ keytool -genkey -alias server -keyalg RSA -keystore ./Server.jks -storetype PKCS12

    alias = name of the key, for example, server 
    keystore = name of the keystore, for example, server.jks

  2. Generate a Certificate Signing Request (CSR) so that we can get server's certificate signed using a CA.

    $ keytool -certreq -alias server -keystore Server.jks -file Server.csr

  3. Get the certificate signed by our the CA, Test CA in this example. See Setting Up a Certificate Authority on how to set up a CA.

    $ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Server.csr -out Server.cer -days 365

  4. Import the Test CA root self signed certificate in server key store as a trusted certificate.

    $ keytool -import -alias TestCA -file caroot.cer -keystore Server.jks

  5. Import server's certificate signed by Test CA in server key store with the same alias name that was used to generate the key pair during genkey.

    $ keytool -import -alias server -file Server.cer -keystore Server.jks