Java keystore – certificate request and self-sign with openssl

Generate a private key

openssl genrsa -aes256 -out demo.key.pem 2048 

Generate a certificate request
Use the private key to generate a certificate signing request (CSR). The CSR details can be whatever you wish, but they must not exactly match the root CA. For web server certificates, the Common Name must be a fully qualified domain name (eg,, whereas for client certificates it can be any unique identifier (eg, an e-mail address). Note that the Common Name cannot be the same as the root certificate.

openssl req -config config/openssl.cnf -key demo.key.pem -new -sha256 -out demo.csr.pem

Sign the certificate

openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -in demo.csr.pem -out denoc.cert.pem -days 900 -CAcreateserial

Create a fullchain certificate
The new certificate will only be trusted if the root CA is also trusted. Some applications require the CA certificate to be imported before the new certificate. Others require the CA certificate to be appended to the new certificate.

cat demo.cert.pem config/ca/certs/ca.cert.pem > demo.cert.fullchain.pem

Create a .p12 keystore with openssl.

openssl pkcs12 -export -in demo.cert.fullchain.pem -inkey demo.key.pem -out demo.keystore.p12 -name DEMO

Convert from a .p12 to a java keystore .jks

keytool -importkeystore -srckeystore application.keystore.p12 -srcstoretype PKCS12 -destkeystore application.keystore.jks -alias DEMO

Import the CA certificate in the keystore

keytool -import -alias ROOT -keystore application.keystore.jks -trustcacerts -file ca.cert.pem
Read More

Java keytool – create keystore


1. Create a new keystore:

Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.

keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048

2. Generate a CSR based on the new keystore:

keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr

Answer each question when prompted. Use the chart below to guide you through the process:

Field Example
First & Last Name Domain Name for SSL Certificates
Entity Name for Code Signing
Organizational Unit Support (Optional, e.g. a department)
Organization GMO GlobalSign Inc (Entity’s Legal Name)
City / Locality Portsmouth (Full City name)
State / Province New Hampshire (Full State Name)
Country Code US (2 Letter Code)

Confirm or reject the details by typing “Yes” or “No” and pressing Enter

Press Enter to use the same password as the keystore, alternatively specify a separate password and press enter.

You should now have a file called mydomain.csr which can be used to order or reissue a digital certificate from GlobalSign.

3. While the order processes, download the root & intermediate certificates for your order. You can identify the correct root & intermediate certificate based on hash algorithm and product type.

4. Import the root & intermediate certificates into your keystore. Import the root certificate first, followed by the intermediate. Make sure you specify the correct alias of “root” and “intermediate” respectively.

keytool -import -trustcacerts -alias root -file root.crt -keystore KeyStore.jks
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks

5. Download & import your new certificate

Download your new certificate; save it as mydomain.crt.

Use the same alias as the private key so it associates them together. The alias here must match the alias of the private key in the first command.

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks

The keystore is now complete and can be used for signing code or deploying on a Java based web server depending on the product you ordered.

To load an existing certificate in a keystore, first create a p12 with openssl, then convert that to .jks using keytool

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name [some-alias] -CAfile ca.crt -caname root
keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias [some-alias]
Read More