test

Sun GlassFish Enterprise Server v3 Prelude Administration Guide

ProcedureTo Generate a Certificate by Using keytool

By default, the keytool utility creates a keystore file in the directory where the utility is run.

Before You Begin

To run the keytool utility, your shell environment must be configured so that the J2SE /bin directory is in the path, otherwise the full path to the utility must be present on the command line.

  1. Change to the directory that contains the keystore and truststore files.

    Always generate the certificate in the directory containing the keystore and truststore files. The default is domain-dir/config.

  2. Generate the certificate in the keystore file, keystore.jks, using the following command format:


    keytool -genkey -alias keyAlias-keyalg RSA
 -keypass changeit
 -storepass changeit
keystore keystore.jks

    Use any unique name as your keyAlias. If you have changed the keystore or private key password from the default (changeit), substitute the new password for changeit. The default key password alias is s1as.

    A prompt appears that asks for your name, organization, and other information.

  3. Export the generated certificate to the server.cer file (or client.cer if you prefer), using the following command format:


    keytool -export -alias keyAlias-storepass changeit
 -file server.cer
 -keystore keystore.jks

  4. If a certificate signed by a certificate authority is required, see To Sign a Certificate by Using keytool.

  5. Create the cacerts.jks truststore file and add the certificate to the truststore, using the following command format:


    keytool -import -v -trustcacerts
-alias keyAlias
 -file server.cer
-keystore cacerts.jks
 -keypass changeit

    If you have changed the keystore or private key password from the default (changeit), substitute the new password.

    Information about the certificate is displayed and a prompt appears asking if you want to trust the certificate.

  6. Type yes, then press Enter.

    Information similar to the following is displayed:


    Certificate was added to keystore
[Saving cacerts.jks]

  7. To apply your changes, restart Enterprise Server.

    1. Stop Enterprise Server.

      For instructions, see To Stop a Domain (or Server).

    2. Start Enterprise Server.

      For instructions, see To Start a Domain (or Server).

Example 6–5 Creating a Self-Signed Certificate in a JKS Keystore by Using an RSA Key Algorithm

RSA is public-key encryption technology developed by RSA Data Security, Inc.


keytool  -genkey -noprompt -trustcacerts -keyalg RSA -alias ${cert.alias} 
-dname  ${dn.name} -keypass ${key.pass} -keystore ${keystore.file} 
-storepass ${keystore.pass}
Example 6–6 Creating a Self-Signed Certificate in a JKS Keystore by Using a Default Key Algorithm


keytool -genkey -noprompt -trustcacerts -alias ${cert.alias} -dname  
${dn.name} -keypass ${key.pass} -keystore ${keystore.file} -storepass 
${keystore.pass}
Example 6–7 Displaying Available Certificates From a JKS Keystore


keytool -list -v  -keystore ${keystore.file} -storepass ${keystore.pass}
Example 6–8 Displaying Certificate information From a JKS Keystore


keytool -list -v  -alias ${cert.alias} -keystore ${keystore.file} 
-storepass ${keystore.pass}
See Also

For more information on keytool, see the keytool documentation at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.