Sun GlassFish Enterprise Server v3 Administration Guide

ProcedureTo Sign a Certificate by Using keytool

After creating a certificate, the owner must sign the certificate to prevent forgery. E-commerce sites, or those for which authentication of identity is important, can purchase a certificate from a well-known Certificate Authority (CA).

Note –

If authentication is not a concern, for example if private secure communications are all that is required, you can save the time and expense involved in obtaining a CA certificate by using a self-signed certificate.

  1. Follow the instructions on the CA's web site for generating certificate key pairs.

  2. Download the generated certificate key pair.

    Save the certificate in the directory containing the keystore and truststore files. The default is domain-dir/config.

  3. In your shell, change to the directory containing the certificate.

  4. Import the certificate into the local keystore and, if necessary, the local truststore using the following command format:

    keytool -import -v -trustcacerts
    -alias keyAlias
     -file server.cer
    -keystore cacerts.jks
     -keypass changeit
    -storepass changeit

    If the keystore or private key password is not the default password, then substitute the new password for the default (changeit).

  5. To apply your changes, restart Enterprise Server. See To Restart a Domain.

Example 11–14 Importing an RFC/Text-Formatted Certificate Into a JKS Keystore

Certificates are often stored using the printable encoding format defined by the Internet Request for Comments (RFC) 1421 standard instead of their binary encoding. This certificate format, also known as Base 64 encoding, facilitates exporting certificates to other applications by email or through some other mechanism.

keytool -import -noprompt -trustcacerts -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass}

Example 11–15 Exporting a Certificate From a JKS Keystore in PKCS7 Format

The reply format defined by the Public Key Cryptography Standards #7, Cryptographic Message Syntax Standard, includes the supporting certificate chain in addition to the issued certificate.

keytool -export -noprompt -alias ${cert.alias} -file ${cert.file} 
-keystore ${keystore.file} -storepass ${keystore.pass}

Example 11–16 Exporting a Certificate From a JKS Keystore in RFC/Text Format

keytool -export -noprompt -rfc -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass}

See Also

For more information about keytool, see the keytool documentation at