After generating the CA, the next step is to generate a key pair for the server/service.
Run the following command:
$ keytool -genkey -alias server -keyalg RSA -keystore ./Server.jks -storetype PKCS12
alias
= name of the key, for example,server
keystore
= name of the keystore, for example,server.jks
Note!
When prompted for first and last name, the hostname where the certificate is valid should be entered, for example, localhost. Other values can be anything.
Generate a Certificate Signing Request (CSR) so that we can get server's certificate signed using a CA.
$ keytool -certreq -alias server -keystore Server.jks -file Server.csr
Get the certificate signed by our the CA,
Test CA
in this example. See Setting Up a Certificate Authority on how to set up a CA.$ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Server.csr -out Server.cer -days 365
Note!
CA
,CAkey
andCAserial
are files generated when setting up the CA.Import the
Test CA
root self signed certificate in server key store as a trusted certificate.$ keytool -import -alias TestCA -file caroot.cer -keystore Server.jks
Import server's certificate signed by
Test CA
in server key store with the same alias name that was used to generate the key pair during genkey.$ keytool -import -alias server -file Server.cer -keystore Server.jks