Skip Headers
Oracle® Retail Integration Bus Security Guide
Release 14.0
  Go To Table Of Contents


B Keytool Utility

The keytool utility is included with the JRE. It is used to create new keys, import digital certificates, export existing keys, and interact with the key management system.

Creating a Self-Signed Certificate

To create a self-signed certificate, use the following command. It creates a private key and a self-signed certificate that contains the corresponding public key:

keytool -genkey -keystore <keystore_location> -alias <your_alias> -keyalg RSA

Creating a Certificate Signing Request

To obtain a certificate signed by a real Certificate Authority, create a Certificate Signing Request:

  1. Use the following command to generate the request:

    keytool -certreq -keystore <keystore_location> -alias <your_alias> -file <your_file.cer>
  2. Once the Certificate Signing Request is saved in a file, send it to the Certificate Authority of your choice. To get a trial certificate, see the following Web site:

  3. When the response from the Certificate Authority is received, save the certificate in a file from which it can be imported. In order to import the certificate, the root certificate must be in your list of trusted certificate authorities, or you must accept the root certificate selected by the keytool utility.

  4. To import the certificate, use the following command:

    keytool -import -keystore <your_keystore_name> -file <your_certificate_file.cer> -alias <your_alias> -trustcacerts

    For development or testing purposes, it should not be necessary to get a trial certificate or have your certificate signed.

Exporting and Importing Certificates

The server in an SSL conversation must have a private key and a certificate that verifies its identity.

  • The private key is used by the server as a part of the key exchange algorithm.

  • The certificate is sent to the client to identify the server. This information is obtained from the Key Store.

  • The truststore is used by the client to verify the certificate that is sent by the server.

To populate the truststore with the public certificate of a server:

  1. Export the RSA certificate (without the private key) from the server Key Store. For information on creating the certificate, see "Creating a Certificate Signing Request".

    keytool -export -keystore <your_keystore> -alias <your_alias> -file <your_file.cer>
  2. Import the RSA certificate into the truststore.

    keytool -import -alias <your_alias> -keystore <your_truststore> -file <your_file.cer>

The certificate can be imported into any of the following files:

  • cacerts, which is the default java truststore.

  • jssecacerts, java truststore