Home > Others

Complete steps for generating certificates and signatures using the Keytool tool

Source: Internet
Author: User
Tags dname pkcs12
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
complete steps for generating certificates and signatures using the Keytool toolCreate a certificate store (KeyStore) and certificate (Certificate) generate a Certificate signing request (CSR) import a signed certificate into the certificate store

The following is the "www.mydomain.com" domain name to create a digital certificate as an example of operation. Create Certificate library (KeyStore) and certificates (Certificate)

The command is as follows:

Keytool-genkeypair \
        -alias www.mydomain.com \
        -keyalg RSA \
        –keysize 4096 \
        -keypass mypassword \
        -sigalg sha256withrsa \
        -dname "CN=WWW.MYDOMAIN.COM,OU=XXX,O=XXX,L=BEIJING,ST=BEIJING,C=CN" \ 
        -validity 3650 \
        -keystore www.mydomain.com_keystore.jks \
        -storetype jks \
        -storepass mypassword

Explanation:Keytool is a tool provided by the JDK, which is named "Keytool"-alias www.mydomain.com Here "www.mydomain.com" is an alias, which can be any character, as long as the error is not prompted. Because a certificate store can hold more than one certificate, a certificate is identified by an alias. -KEYALG RSA Here "RSA" is the key algorithm. The key algorithms that can be selected are RSA, DSA, EC. –keysize 4096 Here "4096" is the key length. KeySize and Keyalg Default correspondence:
2048 (When Using-genkeypair and-keyalg is "RSA")
1024x768 (When Using-genkeypair and-keyalg is "DSA")
(When Using-genkeypair and-keyalg is "EC")-keypass mypassword Here "MyPassword" is the password for this entry (the password for the private key). Better be consistent with Storepass. -sigalg Sha256withrsa Here "Sha256withrsa" is the signature algorithm. Keyalg=rsa, the signature algorithm is: Md5withrsa, Sha1withrsa, Sha256withrsa, Sha384withrsa, Sha512withrsa. KEYALG=DSA, the signature algorithm is: SHA1WITHDSA, SHA256WITHDSA. Note here: MD5 and SHA1 's signature algorithms are not secure. -dname "CN=WWW.MYDOMAIN.COM,OU=XXX,O=XXX,L=BEIJING,ST=BEIJING,C=CN" Fill in the certificate information here. "Cn= name and surname/domain name, ou= organizational unit name, o= organization name, L= City or region name, st= state or province name, c= unit of two-letter country code"-validity 3650 Here "3650" is the certificate validity period of days. -keystore Www.mydomain.com_keystore.jks Here "Www.mydomain.com_keystore.jks" is the name of the KeyStore. An absolute path is also given here. The certificate store is created by default in the current directory. -storetype JKS Here "JKS" is the type of the card library. The available certificate library types are: JKS, PKCS12, and so on. Jdk9 Previously, the default is JKs. Starting from Jdk9, the default is PKCS12. -storepass mypassword Here "MyPassword" is the card library password (the password of the private key). Better be consistent with Keypass.

Description:
The above command, you need to replace the-dname parameter (especially when the domain name to write to), password changes, others can remain unchanged. generate a Certificate signing request (CSR)

The command is as follows:

Keytool-certreq-keyalg RSA \
        -alias www.mydomain.com \
        -keystore www.mydomain.com_keystore.jks \
        - Storetype JKS \
        -storepass mypassword \
        -file WWW.MYDOMAIN.COM_CERTREQ.CSR

Explanation:
-file WWW.MYDOMAIN.COM_CERTREQ.CSR Here "WWW.MYDOMAIN.COM_CERTREQ.CSR" to request a file for the certificate signature.

Description:
Send the "WWW.MYDOMAIN.COM_CERTREQ.CSR" file to the certificate signing authority, and then wait for the certificate signing authority to send the signed certificate back, and then proceed to the next step. import a signed certificate into the certificate store

If this step is reached, you should get two certificates. One is the root certificate of the signing authority (assumed to be globalsign_cert.cer), and one is the signed certificate of www.mydomain.com (assumed to be www.mydomain.com_cert.cer). Two certificates are imported into the Certificate library (WWW.MYDOMAIN.COM_KEYSTORE.JKS).

Import the root certificate of the signing authority:

Keytool-import-trustcacerts \
        -keystore www.mydomain.com_keystore.jks \
        -storepass mypassword \
        -alias root_globalsign \
        -file globalsign_cert.cer

Description:
Alias and file two parameters are replaced.

Import a signed certificate for www.mydomain.com

Keytool-import-trustcacerts \
        -keystore www.mydomain.com_keystore.jks \
        -storepass mypassword \
        -alias www.mydomain.com \
        -file www.mydomain.com_cert.cer

Description:
The alias parameter is to be identical to the build time, and the file parameter is replaced. Auxiliary Commands

View Certificate Library

KEYTOOL-LIST-V \
        -keystore www.mydomain.com_keystore.jks \
        -storepass mypassword

View Certificate Signing requests

Keytool-printcertreq  -file WWW.MYDOMAIN.COM_CERTREQ.CSR

View signed Certificates

Keytool-printcert-file globalsign_cert.cer
keytool-printcert-file www.mydomain.com_cert.cer

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
wildcard certificates and subdomains how to create x509 certificate using keytool keytool ssl and certificates encrypted certificates for android digital certificates for dummies funny certificates for students

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More