• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Keytool generate CSR – Generate a certificate signing request

March 12, 2021 by Mister PKI Leave a Comment

What is java keytool?

Keytool generate CSR – The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use keytool to create a pkcs 10 certificate signing request or in other words. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

What is a pkcs 10 certificate signing request (CSR)?

A CSR is a request for a certificate signed by an asymmetric private key to be sent to a Certificate Authority (CA). This request is represented in PKCS #10 format. The CA will then sign and return a certificate including the data provided on the CSR. Read more about Certificate Signing Requests in our dedicated article.

keytool generate CSR – What keytool command do I use to generate a certificate request?

Use this command to generate a CSR using the java keytool. The result will be a signed certificate request in PKCS #10 format ready to be sent to a Certificate Authority. Note that you must have an existing keystore and private key to sign the CSR with. In the below command, the alias references the alias given to the private key in the keystore. If you need to generate a key store and private key, read how to generate a keystore with the java keytool.

keytool -certreq \
-alias example \
-sigalg SHA256withRSA \
-file example.csr \
-keypass changeit \
-keystore example.p12 \
-dname "cn=example.com,ou=exampleou,dc=example,dc=com" \
-storepass changeit \
-storetype PKCS12

Java keytool options:

Options breakdown:

-alias – The alias of the private key entry in your keystore. This must be the correct private key, else when you import the signed certificate you will have a key pair mismatch.

-sigalg – This value is generally derived from the algorithm of the private key, but can be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.

-file – The filename of the serialized CSR. A common practice is to use the extension .csr for readability.

-keypass – The password of the private key. This should have been set to be the same as the keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-keystore – The keystore file.

-dname – This is the distinguished name, also known as the subject of the certificate.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

java keytool certificate signing request
certificate signing request

After submitting the CSR to a Certificate Authority, you will then import the signed certificate into your keystore using the -importcert command.

Here are the official keytool docs to dive further into how to use java keytool to generate a CSR. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__GENERATECERTIFICATEREQUEST-507D39B8

Read all of our blog content.

keytool

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022