Last updated on February 21st, 2022 at 08:34 am
Create self signed certificate using keytool. Keytool is a Key and Cerificate tool that Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates. In this tutorial you will see how to create self signed certificate using keytool?
More information ORACLE REFERENCE
This tutorial will give you step by step information regarding the commands that can be used to create a self signed certificate.
Intially we are going to create keystore with the name server.keystore. Please note that it is recommended to have KEYPASS and KEYSTORE password the same [Here i am using password as changeit and validity for 10 years]
# keytool -genkey -alias TestKey -keypass changeit -keyalg RSA -keystore server.keystore -validity 3650 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Mistonline What is the name of your organizational unit? [Unknown]: Tutorials What is the name of your organization? [Unknown]: Team What is the name of your City or Locality? [Unknown]: New Jersey What is the name of your State or Province? [Unknown]: New Jersey What is the two-letter country code for this unit? [Unknown]: US Is CN=Mistonline, OU=Tutorials, O=Team, L=New Jersey, ST=New Jersey, C=US correct? [no]: yes
Now list the keystore
# keytool -list -keystore server.keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry TestKey, Apr 15, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): 1C:11:2F:8G:1C:TT:C1:1C:11:2F:8G:1C:TT:C1:EE:1C
The next step is to export the certificate TestKey to a server.crt file
# keytool -export -alias TestKey -keypass changeit -file server.crt -keystore server.keystore Enter keystore password: Certificate stored in file <server.crt>
Once exported, import the certificate again to the keystore with the alias TestCert, It might prompt that the alias TestKey already exist. Ignore that and type ‘yes’
# keytool -import -alias TestCert -keypass changeit -file server.crt -keystore server.keystore Enter keystore password: Certificate already exists in keystore under alias <TestKey> Do you still want to add it? [no]: yes Certificate was added to keystore
Now list the keystore again and you should see an entry that says trustedCertEntry with the alias TestCert.
# keytool -list -keystore server.keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries TestCert, Apr 15, 2014, trustedCertEntry, Certificate fingerprint (MD5): 1C:11:2F:8G:1C:TT:C1:1C:11:2F:8G:1C:TT:C1:EE:1C TestKey, Apr 15, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): 1C:11:2F:8G:1C:TT:C1:1C:11:2F:8G:1C:TT:C1:EE:1C
admin