Security: Generate certificates with keytool

By | November 23, 2016

The following is an example on how to generate a certificate directly on a Linux server using keytool, then sign it by a windows CA. The example assumes we are regenerating a certificate for a glasfish domain.

STEP 1: Delete the old certificate

In glasfish in each domain where security is activated we have a keystore.jks keystore where the https certificate used by the glasfish domain is stored.

To delete the old s1as certificate if it exists.

#keytool -delete -keystore keystore.jks -alias s1as

STEP 2: Generate new key for alias s1as

#keytool -genkey -alias s1as -keyalg rsa -keysize 1024 -validity 3650 -keystore keystore.jks

STEP 3: Generate a certificate request for alias s1as

#keytool -certreq -alias s1as -keystore keystore.jks -file certreq.pem

STEP 4: Sign the certificate request for alias s1as with the CA
Sign the certificate in your Windows CA. Export it from there with full cert chain (binary, pkcs#7 with Certificate chain)

STEP 5: Import the signed certificate for alias s1as in the keystore

#keytool -import -alias s1as -file signed.p7b -keystore keystore.jks


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.