What is java keytool?
Keytool generate CSR – The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use keytool to create a pkcs 10 certificate signing request or in other words. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.
What is a pkcs 10 certificate signing request (CSR)?
A CSR is a request for a certificate signed by an asymmetric private key to be sent to a Certificate Authority (CA). This request is represented in PKCS #10 format. The CA will then sign and return a certificate including the data provided on the CSR. Read more about Certificate Signing Requests in our dedicated article.
keytool generate CSR – What keytool command do I use to generate a certificate request?
Use this command to generate a CSR using the java keytool. The result will be a signed certificate request in PKCS #10 format ready to be sent to a Certificate Authority. Note that you must have an existing keystore and private key to sign the CSR with. In the below command, the alias references the alias given to the private key in the keystore. If you need to generate a key store and private key, read how to generate a keystore with the java keytool.
keytool -certreq \
-alias example \
-sigalg SHA256withRSA \
-file example.csr \
-keypass changeit \
-keystore example.p12 \
-dname "cn=example.com,ou=exampleou,dc=example,dc=com" \
-storepass changeit \
-storetype PKCS12
Java keytool options:
Options breakdown:
-alias
– The alias of the private key entry in your keystore. This must be the correct private key, else when you import the signed certificate you will have a key pair mismatch.
-sigalg
– This value is generally derived from the algorithm of the private key, but can be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.
-file
– The filename of the serialized CSR. A common practice is to use the extension .csr for readability.
-keypass
– The password of the private key. This should have been set to be the same as the keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-keystore
– The keystore file.
-dname
– This is the distinguished name, also known as the subject of the certificate.
-storepass
– The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype
– Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

After submitting the CSR to a Certificate Authority, you will then import the signed certificate into your keystore using the -importcert command.
Here are the official keytool docs to dive further into how to use java keytool to generate a CSR. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__GENERATECERTIFICATEREQUEST-507D39B8
Leave a Reply