Java Keytool - Create Keystore

Introduction

This article covers the creation of a new Java keystore using Java keytool


Process


You can watch the video below for a tutorial. 
 


Or, you can check the step by step guidelines below. 

1. Create a new keystore:

Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.

keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048

2. Generate a CSR based on the new keystore:

keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr
Answer each question when prompted. Use the chart below to guide you through the process:
 

Field Example
First & Last Name Domain Name for SSL Certificates
Entity Name for Code Signing
Organizational Unit  Support (Optional, e.g. a department)
Organization GMO GlobalSign Inc (Entity's Legal Name)
City / Locality Portsmouth (Full City name)
State / Province New Hampshire (Full State Name)
Country Code US (2 Letter Code)



Confirm or reject the details by typing "Yes" or "No" and pressing Enter

Press Enter to use the same password as the keystore, alternatively specify a separate password and press enter. 

You should now have a file called mydomain.csr which can be used to order or reissue a digital certificate from GlobalSign. 

3. While the order processes, download the root & intermediate certificates for your order. You can identify the correct root & intermediate certificate based on hash algorithm and product type.

4. Import the root & intermediate certificates into your keystore. Import the root certificate first, followed by the intermediate. Make sure you specify the correct alias of "root" and "intermediate" respectively.

keytool -import -trustcacerts -alias root -file root.crt -keystore KeyStore.jks
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks

5. Download & import your new certificate

Download your new certificate; save it as mydomain.crt.

Use the same alias as the private key so it associates them together. The alias here must match the alias of the private key in the first command.

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks

The keystore is now complete and can be used for signing code or deploying on a Java based web server depending on the product you ordered.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.