Generate a new Java Keystore using Java Keytool

Note:

Single domain certificate is more secure than multi-domain and wildcard certificate.

When a private key of a multi-domain or wildcard certificate is compromised, this will put all domains, sub-domains and sessions covered by the certificate in risk. Proper key management and security measures are essential to mitigate this risk.

1. Navigate to the directory where you plan to manage your Keystore and SSL/TLS certificates.

2. Run the following command:

   keytool -genkey -alias <ALIAS> -keyalg RSA -keysize 2048 -keystore <SITE_NAME>.jks –ext SAN=dns:<SITE_NAME>

3. In the command above, <SITE_NAME> represents the domain name to be secured with the SSL/TLS certificate. The asterisk (*) character should not be included in the <SITE_NAME> as it is not a valid character in the Keytool command. The command generates a Keystore containing a public and private key pair, along with a self-signed certificate for the server. <ALIAS> is the name for the newly created entry in the Keystore.

4. You will be prompted to create a password for the new Keystore.

5. Enter the SSL/TLS certificate information for the self-signed certificate.

   1. When prompted for the first and last name, enter the Fully Qualified Domain Name (FQDN) for the site you wish to secure with the SSL/TLS certificate. For example, www.yourdomain.com or mail.yourdomain.com.

   2. Enter the Common Name (CN), for example, The FQDN.

   3. Enter the Organizational Unit (OU), for example, Cruise Operation

   4. Enter the Organization (O), for example, Cruise Company

   5. Enter the Locality (L). For example Redwood City

   6. Enter the State or Province Name (S), for example, California

   7. Enter the Country Name (C), for example. US

   8. You will be prompted to verify all the information entered. Type ‘y’ or ‘yes’ to confirm.

   9. Enter the Keystore password when prompt. The new Keystore file <SITE_NAME>.jks is now available in the current working directory.