Creating a keystore and self-signed X.509 certificate for TLS/SSL using keytool utility provided by Java

Solution Verified - Updated 6 Aug 2024

Environment

Java application that needs SSL/TLS certificates. For example:
- Red Hat JBoss Enterprise Application Platform 5.x
- Red Hat JBoss Enterprise Application Platform 6.x
- Apache Tomcat

Issue

How to create a keystore and selfsigned certificate.

Resolution

This knowledge article is for creating a self-signed certificates. Self-signed certificates are not considered trusted by clients unless they specifically provide exemptions for the certificate or import it to their browser's key storage. Also, they will often still be flagged as insecure by some brwosers. For most use usages, you will want to create a certificate signed by a certificate authority (CA).

1a. GENERATING A KEYSTORE:

keytool -genkey -v -alias mykey -keystore identity.jks -keyalg RSA -keysize 2048 -dname "CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN" -validity 365

Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 365 days for:

CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN
(Storing identity.jks)

1b. Export self signed certificate :

keytool -export -v -alias mykey -keystore identity.jks -file mycert.cer

Certificate stored in file "mycert.cer"

1c. Checking the created Self Signed Cert:

keytool -printcert -file mycert.cer

Owner: CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN
Issuer: CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN
Serial number: 5051ae55
Valid from: Thu Sep 13 15:28:45 IST 2012 until: Fri Sep 13 15:28:45 IST 2013
Certificate fingerprints:
 MD5:  E4:06:80:96:A9:96:5B:47:D6:06:5C:54:02:7C:BA:EF
 SHA1: 72:BF:45:3F:60:E8:0C:A4:30:9C:A8:B7:05:FB:8A:76:B0:B5:B0:00
 Signature algorithm name: SHA1withRSA
 Version: 3

1d. Listing the created keystore(Just for testing purposes not mandatory):

keytool -list -keystore identity.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mykey, Sep 13, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): E4:06:80:96:A9:96:5B:47:D6:06:5C:54:02:7C:BA:EF
[krathod@krathod anurag_cont_00704616]$ keytool -list -keystore identity.jks -v
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey
Creation date: Sep 13, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN
Issuer: CN=mydomain.com, OU=organization_unit, O=organisation, ST=State, C=IN
Serial number: 5051ae55
Valid from: Thu Sep 13 15:28:45 IST 2012 until: Fri Sep 13 15:28:45 IST 2013
Certificate fingerprints:
 MD5:  E4:06:80:96:A9:96:5B:47:D6:06:5C:54:02:7C:BA:EF
 SHA1: 72:BF:45:3F:60:E8:0C:A4:30:9C:A8:B7:05:FB:8A:76:B0:B5:B0:00
 Signature algorithm name: SHA1withRSA
 Version: 3

1e. Observe that the output for below is the same

keytool -printcert -file mycert.cer" and "keytool -list -keystore identity.jks

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.