LibraryLink ToToggle FramesPrintFeedback

Use the CA to Create Signed Certificates in a Java Keystore

To create and sign a certificate in a Java keystore (JKS), CertName.jks, perform the following substeps:

If you have not already done so, add the Java bin directory to your path:

Windows

> set PATH=JAVA_HOME\bin;%PATH%

UNIX

% PATH=JAVA_HOME/bin:$PATH; export PATH

This step makes the keytool utility available from the command line.

Open a command prompt and change directory to KeystoreDir. Enter the following command:

keytool -genkey -dname "CN=Alice, OU=Engineering, O=IONA Technologies PLC, ST=Co. Dublin, C=IE" -validity 365 -alias CertAlias -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This keytool command, invoked with the -genkey option, generates an X.509 certificate and a matching private key. The certificate and key are both placed in a key entry in a newly created keystore, CertName.jks. Because the specified keystore, CertName.jks, did not exist before issuing the command, keytool implicitly creates a new keystore.

The -dname and -validity flags define the contents of the newly created X.509 certificate, specifying the subject DN and days before expiration respectively. For more details about DN format, see Appendix A .

Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file requires the following entries to match:

  • Country Name (C)

  • State or Province Name (ST)

  • Organization Name (O)

[Note]Note

If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate (see Sign the CSR ).

Create a new certificate signing request (CSR) for the CertName.jks certificate:

keytool -certreq -alias CertAlias -file CertName_csr.pem -keypass CertPassword -keystore CertName.jks -storepass CertPassword

This command exports a CSR to the file, CertName_csr.pem.

Sign the CSR using your CA:

openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem

To sign the certificate successfully, you must enter the CA private key pass phrase—see Set Up Your Own CA .

[Note]Note

If you want to sign the CSR using a CA certificate other than the default CA, use the -cert and -keyfile options to specify the CA certificate and its private key file, respectively.

Convert the signed certificate, CertName.pem, to PEM only format:

openssl x509 -in CertName.pem -out CertName.pem -outform PEM

Concatenate the CA certificate file and CertName.pem certificate file, as follows:

Windows

copy CertName.pem + X509CA\ca\new_ca.pem CertName.chain

UNIX

cat CertName.pem X509CA/ca/new_ca.pem > CertName.chain

Update the keystore, CertName.jks, by importing the full certificate chain for the certificate:

keytool -import -file CertName.chain -keypass CertPassword -keystore CertName.jks -storepass CertPassword 
   

Repeat steps 2 to 7, creating a complete set of certificates for your system.