Java Reference
In-Depth Information
If you don't specify a directory when specifying the keystore file name, the keystores are
created in the directory from which the
keytool
command is run. This can be the direct-
ory where the application resides, or it can be a directory common to many applications.
The general steps for creating a server certificate are as follows.
1.
Create the keystore.
2.
Export the certificate from the keystore.
3.
Sign the certificate.
4.
Import the certificate into a
truststore
: a repository of certificates from parties with
which you expect to communicate or from Certificate Authorities that you trust to
identify parties. The truststore is used by the client to verify the certificate that is
sent by the server. A truststore typically contains more than one certificate.
The next section provides specific information on using the
keytool
utility to perform
these steps.
To Use
keytool
to Create a Server Certificate
Run
keytool
to generate a new key pair in the default development keystore file,
keystore.jks
. This example uses the alias
server-alias
to generate a new pub-
lic/private key pair and wrap the public key into a self-signed certificate inside
key-
store.jks
. The key pair is generated by using an algorithm of type RSA, with a default
password of
changeit
. For more information and other examples of creating and man-
aging keystore files, read the
keytool
documentation.
Note
RSA is public-key encryption technology developed by RSA Data Se-
curity, Inc.
From the directory in which you want to create the key pair, run
keytool
as shown in
the following steps.
1. Generate the server certificate.
Type the
keytool
command all on one line:
java-home
/bin/keytool -genkey -alias server-alias -keyalg RSA -key-
pass changeit
-storepass changeit -keystore keystore.jks