Menu

Java Keytool - Create Keystore

Jan 21, 2025

Introduction

This article covers the creation of a new Java keystore using Java keytool


Process


You can watch the video below for a tutorial. 
 


Or, you can check the step by step guidelines below. 

  1. Create a new keystore:

    Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.

    keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048
  2. Generate a CSR based on the new keystore:

    keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr
    Answer each question when prompted. Use the chart below to guide you through the process:
     

    Field Example
    First & Last Name Domain Name for SSL Certificates
    Entity Name for Code Signing
    Organizational Unit  Support (Optional, e.g. a department)
    Organization GMO GlobalSign Inc (Entity's Legal Name)
    City / Locality Portsmouth (Full City name)
    State / Province New Hampshire (Full State Name)
    Country Code US (2 Letter Code)


    Confirm or reject the details by typing "Yes" or "No" and pressing Enter

    Press Enter to use the same password as the keystore, alternatively specify a separate password and press enter. 

    You should now have a file called mydomain.csr which can be used to order or reissue a digital certificate from GlobalSign. 

  3. While the order processes, download the root & intermediate certificates for your order. You can identify the correct root & intermediate certificate based on hash algorithm and product type.
  4. Import the root & intermediate certificates into your keystore. Import the root certificate first, followed by the intermediate. Make sure you specify the correct alias of "root" and "intermediate" respectively.

    keytool -import -trustcacerts -alias root -file root.crt -keystore KeyStore.jks
    keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks
  5. Download & import your new certificate

    Download your new certificate; save it as mydomain.crt.

    Use the same alias as the private key so it associates them together. The alias here must match the alias of the private key in the first command.

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks

    The keystore is now complete and can be used for signing code or deploying on a Java based web server depending on the product you ordered.

 

Related Articles

Windows Mobile PDA - Install PersonalSign Certificate

Sep 24, 2013, 10:28 AM

This article provides step-by-step instructions for installing your PersonalSign certificate in Windows Mobile PDA. If this is not the solution you are looking for, please search for your solution in the search bar above.

Read More

Installing Your PersonalSign Certificate - Microsoft Outlook 2007

Sep 25, 2019, 11:43 AM

This article provides step-by-step instructions for installing your certificate in Outlook 2007. If this is not the solution you are looking for, please search for your solution in the search bar above.

Read More

Add Timestamping - Microsoft Office 2010, 2013, 2016 & 2019

Jul 10, 2019, 1:01 PM

By default, when a digital signature is placed in Microsoft Office, the timestamp is based on the local computer's time.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support