LibraryLink ToToggle FramesPrintFeedback

Use the CA to Create Signed Certificates in a Java Keystore

To create and sign a certificate in a Java keystore (JKS), CertName.jks, perform the following substeps:

If you have not already done so, add the Java bin directory to your path:





This step makes the keytool utility available from the command line.

Open a command prompt and change directory to the directory where you store your keystore files, KeystoreDir. Enter the following command:

keytool -genkey -dname "CN=Alice, OU=Engineering, O=Progress, ST=Co. Dublin, C=IE" -validity 365 -alias CertAlias -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This keytool command, invoked with the -genkey option, generates an X.509 certificate and a matching private key. The certificate and the key are both placed in a key entry in a newly created keystore, CertName.jks. Because the specified keystore, CertName.jks, did not exist prior to issuing the command, keytool implicitly creates a new keystore.

The -dname and -validity flags define the contents of the newly created X.509 certificate, specifying the subject DN and the days before expiration respectively. For more details about DN format, see Appendix A.

Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file requires the following entries to match:

  • Country Name (C)

  • State or Province Name (ST)

  • Organization Name (O)


If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate (see Sign the CSR ).

Create a new certificate signing request (CSR) for the CertName.jks certificate, as follows:

keytool -certreq -alias CertAlias -file CertName_csr.pem -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This command exports a CSR to the file, CertName_csr.pem.

Sign the CSR using your CA, as follows:

openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem

To sign the certificate successfully, you must enter the CA private key pass phrase (see Set Up Your Own CA).


If you want to sign the CSR using a CA certificate other than the default CA, use the -cert and -keyfile options to specify the CA certificate and its private key file, respectively.

Convert the signed certificate, CertName.pem, to PEM only format, as follows:

openssl x509 -in CertName.pem -out CertName.pem -outform PEM

Concatenate the CA certificate file and CertName.pem certificate file, as follows:


copy CertName.pem + X509CA\ca\new_ca.pem CertName.chain


cat CertName.pem X509CA/ca/new_ca.pem > CertName.chain

Update the keystore, CertName.jks, by importing the full certificate chain for the certificate, as follows:

keytool -import -file CertName.chain -keypass CertPassword -keystore CertName.jks -storepass CertPassword 

Repeat steps 2 through 7, to create a complete set of certificates for your system.