Keytool

How to use Keytool - notes from my own experiences

Mark Foster 5/15/2003

Say you want to obtain a server certificate from Verisign. You will need to create a keystore with a private RSA key, then create a certificate signing request to give them. They will give you a CA-signed certificate in return.

Create your key (this also creates the keystore if it doesn't exist). Make sure to use the full state spelling and cn of your web site.

 keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.example.com, ou=None, L=Seattle, ST=Washington, o=ExampleOrg, c=US"

Generate the CSR. Be sure and specify sigalg here or it won't work

 keytool -certreq  -file www.example.com.csr -keystore keystore -storepass password

Note that it is not necessary to specify "-sigalg MD5withRSA" with the above command, because it is the default with an RSA private key.

Now go to http://digitalid.verisign.com/

Click on SSL Certificates

Click on Buy SSL

Choose from Secure Site (40-bit) or Secure Site Pro (128-bit).

I highly recommend two-years as it will save you the hassle-factor! When it asks for your vendor, just choose BEA WebLogic, as Javasoft has recently been removed. This choice is probably less important than you might think -- when I asked Verisign customer service I was told this is more of a survey than anything else.

Verisign will email you the signed certificate as an attachment. Save the attachment as www.example.com.crt, then import it into the keystore

 keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.example.com.crt

That should do it!

If you chose to get a Global Server ID (128-bit) you will need to import the intermediate CA certificate.

You'll know this is the case if you receive this error when you try to install the certificate that Verisign emailed to you.

 keytool error: java.lang.Exception: Failed to establish chain from reply

The intermediate CA certificate can be found here: https://www.verisign.com/support/install/intermediate.html

Save it as verisign_inter.cer, then do

 keytool -keystore keystore -keyalg RSA -import -trustcacerts -alias cacert -file verisign_inter.cer
 Certificate was added to keystore

Now go back and try importing your signed certificate again.

References

Sun's J2EETM Tutorial Setting up a Server Certificate

• http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security10.html

Keytool Documentation from Sun

• http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html

Using Java's Keytool

• http://www.churchillobjects.com/c/11201e.html

Secure Sockets with JSSE & OpenSSL

• http://www.churchillobjects.com/c/11201g.html

See Also

• Keytool to OpenSSL Conversion tips
• Keytool cacert extraction to PEM format using OpenSSL and keytool
• OpenSSL to Keytool Conversion tips