Skip to main content
Jump to: navigation, search

Generating a Private Key and a Keystore

{{#eclipseproject:technology.higgins}} 1. To generate a keystore, you need a JDK installed with its /bin directory in your path

2. Create a keystore using this command:

 keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

keytool will ask you to enter the values for Common Name (CN), Organizational Unit (OU), Oranization(O), Locality (L), State (S) and Country (C). CN should match the domain name of your webapp if you are planning to use this keystore for your servlet container

You can verify keystore contents using this command:

 keytool -list -v -keystore keystore.jks

3. Generate the Certificate Signing Request (CSR) using this command:

 keytool -certreq -v -alias tomcat -file csr-for-myserver.pem -keystore keystore.jks

Submit contents of csr-for-myserver.pem file to your CA for signing

You can get a trial certificate from Thawte at

4. Save the signed certificate from CA to a file signed-cert.pem

You can see the contents of the signed certificate using this command:

 keytool -printcert -v -file signed-cert.pem

5. Download Root certificate from CA. You can download Thawte Test Root Certificate from

6. Import Root Certificate to keystore using this command:

 keytool -import -v -noprompt -trustcacerts -alias cacert -file root-cert.pem -keystore keystore.jks

where root-cert.pem is the Root Certificate from CA

7. Verify contents of keystore using this command:

 keytool -list -v -keystore keystore.jks

8. Import CA signed certificate to keystore

 keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks

9. Verify contents of keystore using this command:

 keytool -list -v -keystore keystore.jks

The most important thing you want to see is that, under the private key alias, additional information is being displayed. You're looking for this:

 Certificate chain length: 2

How to import existing .key and .crt into .jks

Assume you have an existing .key and .crt from your Apache configuration.

You do this:

1. You convert the private key into PKCS#8 format:

 openssl pkcs8 -topk8 -nocrypt -outform der -in /etc/httpd/conf/ssl.key/server.key -out tmpfile

2. Since the stupid Java keytool doesn't allow you to import private keys, you download this tool:

3. Now you can import the key into the Java Keystore:

 java ImportKey tmpfile /etc/httpd/conf/ssl.crt/server.crt

4. Now you have the Java Keystore:


5. Delete the tmpfile:

 rm tmpfile


Back to the top