How to use Keytool - notes from my own experiences
Mark Foster 5/15/2003
Say you want to obtain a server certificate from Verisign. You will need to create a keystore with a private RSA key, then create a certificate signing request to give them. They will give you a CA-signed certificate in return.
Create your key (this also creates the keystore if it doesn't exist). Make sure to use the full state spelling and cn of your web site.
keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.example.com, ou=None, L=Seattle, ST=Washington, o=ExampleOrg, c=US"
Generate the CSR. Be sure and specify sigalg here or it won't work
keytool -certreq -file www.example.com.csr -keystore keystore -storepass password
Note that it is not necessary to specify "-sigalg MD5withRSA" with the above command, because it is the default with an RSA private key.
Now go to http://digitalid.verisign.com/
Click on SSL Certificates
Click on Buy SSL
Choose from Secure Site (40-bit) or Secure Site Pro (128-bit).
I highly recommend two-years as it will save you the hassle-factor! When it asks for your vendor, just choose BEA WebLogic, as Javasoft has recently been removed. This choice is probably less important than you might think -- when I asked Verisign customer service I was told this is more of a survey than anything else.
Verisign will email you the signed certificate as an attachment. Save the attachment as www.example.com.crt, then import it into the keystore
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.example.com.crt
That should do it!
If you chose to get a Global Server ID (128-bit) you will need to import the intermediate CA certificate.
You'll know this is the case if you receive this error when you try to install the certificate that Verisign emailed to you.
keytool error: java.lang.Exception: Failed to establish chain from reply
The intermediate CA certificate can be found here: https://www.verisign.com/support/install/intermediate.html
Save it as verisign_inter.cer, then do
keytool -keystore keystore -keyalg RSA -import -trustcacerts -alias cacert -file verisign_inter.cer Certificate was added to keystore
Now go back and try importing your signed certificate again.
Sun's J2EETM Tutorial Setting up a Server Certificate
Keytool Documentation from Sun
Using Java's Keytool
Secure Sockets with JSSE & OpenSSL
HowTo compare two cacerts (UNIX)
- [OpenSSL to Keytool Conversion Tips]
- [Keytool cacert extraction] to PEM format using OpenSSL and keytool