How to Generate a Keystore and CSR Using the Keytool Command


Understanding of the Flow

  1. Generate a keystore and key pair using keytool -genkeypair.
  2. Generate a CSR from the keystore using keytool -certreq.
  3. Submit the CSR to a Certificate Authority (CA) to get a signed certificate.
  4. Import the CA's root certificate into the keystore using keytool -import.
  5. Import the signed certificate into the keystore using keytool -import.


Steps:

Step 1: Generate a Keystore

  1. Open a Terminal or Command Prompt:

    • Ensure you have Java installed, as the keytool command is part of the Java Development Kit (JDK).

  2. Generate the Keystore:

    • Run the following command to create a new keystore and generate a key pair (public/private key) within it.

    keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore mykeystore.jks -validity 365

    Explanation:

    • -genkeypair: Generates a key pair (public and private key).
    • -alias mykey: An alias for the key pair. This is used to identify the key pair within the keystore.
    • -keyalg RSA: The algorithm to use for the key pair (RSA in this case).
    • -keysize 2048: The size of the key (2048 bits).
    • -keystore mykeystore.jks: The name of the keystore file to create.
    • -validity 365: The validity period of the generated certificate (365 days).

  3. Enter Keystore Password:

    • You will be prompted to enter a password for the keystore. This password is used to protect the keystore file.

  4. Provide Distinguished Name Information:

    • You will be prompted to enter details for the Distinguished Name (DN) of the certificate:
      • What is your first and last name? (Common Name, CN)
      • What is the name of your organizational unit? (Organizational Unit, OU)
      • What is the name of your organization? (Organization, O)
      • What is the name of your City or Locality? (Locality, L)
      • What is the name of your State or Province? (State, ST)
      • What is the two-letter country code for this unit? (Country, C)

  5. Confirm Information:

    • You will be asked to confirm the information you entered. If everything is correct, type yes and press Enter.

  6. Enter Key Password:

    • You will be prompted to enter a password for the key pair. You can press Enter to use the same password as the keystore password.

Step 2: Generate a Certificate Signing Request (CSR)

  1. Generate the CSR:

    • Run the following command to generate a CSR from the keystore.

    keytool -certreq -alias mykey -keystore mykeystore.jks -file mycsr.csr

    Explanation:

    • -certreq: Generates a certificate signing request.
    • -alias mykey: The alias of the key pair for which the CSR is generated.
    • -keystore mykeystore.jks: The keystore that contains the key pair.
    • -file mycsr.csr: The name of the file to which the CSR will be written.

  2. Enter Keystore Password:

    • You will be prompted to enter the keystore password to access the keystore.

Step 3: Submit the CSR to a Certificate Authority (CA)

  1. Submit the CSR:
    • The mycsr.csr file contains the CSR. Submit this file to a Certificate Authority (CA) to request a signed certificate. The CA will verify your information and provide you with a signed certificate.

Step 4: Import the Signed Certificate

  1. Import the CA's Root Certificate:

    • Before importing the signed certificate, you need to import the CA's root certificate into your keystore.

    keytool -import -alias caroot -file caroot.crt -keystore mykeystore.jks

    Explanation:

    • -import: Imports a certificate into the keystore.
    • -alias caroot: An alias for the CA root certificate.
    • -file caroot.crt: The file that contains the CA root certificate.
    • -keystore mykeystore.jks: The keystore into which the certificate will be imported.

  2. Import the Signed Certificate:

    • After receiving the signed certificate from the CA, import it into your keystore.

    keytool -import -alias mykey -file mycert.crt -keystore mykeystore.jks

    Explanation:

    • -import: Imports a certificate into the keystore.
    • -alias mykey: The alias of the key pair for which the certificate was issued.
    • -file mycert.crt: The file that contains the signed certificate.
    • -keystore mykeystore.jks: The keystore into which the certificate will be imported.

  3. Enter Keystore Password:

    • You will be prompted to enter the keystore password to access the keystore.






Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment