- storepass -> used for access to the key store for adding/viewing trust relationships
- keypass - > used for creating and signing keys/certs
To create a new keystore with a new private key and a self-signed certificate:
keytool -genkey -keyalg RSA -alias webserver -keystore keystore.jks -storepass changeit -keypass changeit -validity 365 -keysize 2048Enter the FQDN instead of your first and last name:
What is your first and last name?
[Unknown]: my.webserver.comAnswer rest of the questions normally.
To export the certificate, so it can be imported as a root certificate on other systems:
keytool -exportcert -keystore keystore.jks -alias webserver -file webserver.crtadd -rfc to get the readable version
The plublic store can be shared as it does not contain the private key. Other java applications can use this store to validate signed messages.
keytool -importcert -file webserver.crt -keystore publicstore.jks -alias webserverkeytool -certreq -keyalg RSA -alias webserver -file webserver.req -keystore webserver.jksAfter the request is signed, import the root certificate first:
keytool -import -trustcacerts -alias root -file root_certificate_file -keystore keystore.jksIn case of intermediate certificates, import them too (replace # with a number):
keytool -import -trustcacerts -alias# inter -file intermediate_certificate_file -keystore keystore.jksNow import the signed certificate:
keytool -import -alias webserver -file webserver.crt -keystore keystore.jksBy using the same aliasses it will overwrite the self signed certificate.