SSL Certificate provision using keytool commands

Follow below steps to get SSL certificate for an JAVA based Application server .In the below steps we will use keytool which is availale in JAVA_HOME/bin/

Create a new keystore keystore.jks for managing your public/private key pairs and certificates.

Note : -v option is for detailed output

Keytool help for the commands 
[wlsuser@localhost tmp]$ keytool
Key and Certificate Management Tool


 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore

Use "keytool -command_name -help" for usage of command_name
[wlsuser@localhost tmp]$ 
Generate key

keytool -genkey -v -alias mycert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \
-dname ", OU=abc, O=ABC Corp, C=IN, ST=Banglore, L=India" \
--keypass pkpassword -storepass storepassword -validity 365 -keystore keystore.jks
Generate a CSR in the file carequest.csr for submission to a CA. The CA signs and returns a certificate or a certificate chain that authenticates your public key.

keytool -certreq -v -alias mycert -file carequest.csr -keystore keystore.jks -storepass storepassword

Send or upload the csr file to the thirdpary site like and get it signed . Then download root ,intermediate certificates and carequest.cer file .

Print the contents of a certificate file in a human-readable form.
keytool -printcert -v -file carequest.cer
Import Root
keytool -importcert -alias root -file root.cer -keystore keystore.jks -storepass storepassword
Import Intermediate 
keytool -importcert -alias inter -file intermediate.cer -keystore keystore.jks -storepass storepassword
Import sever Certificate 
keytool -importcert -alias mycert -file carequest.cer -keystore keystore.jks -storepass storepassword
verify keystore
keytool -list -v -alias mycert -keystore keystore.jks -storepass storepassword
change keystore password
keytool -storepasswd -keystore keystore.jks
Change key password
keytool -keypasswd -alias mycert -keystore keystore.jks
Delete the certificate with the alias aliasname from the keystore keystore.jks.
keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword
print the certificate 
keytool -printcert -f mycert.cer

Now the keystore is ready. we can use this keystore to configure in Application server’s like Jboss,Weblogic,Websphere,tomcat ..etc

In a certificate if both Owner and Issuer are same then it is Self signed certificate . We can use self signed cert for the server but it is not secured and not recommended.
Every root certificate of the Third party provider are self signed it self and used to sign other certificates .

Related Posts

One thought on “SSL Certificate provision using keytool commands

Leave a Reply

Your email address will not be published. Required fields are marked *