Steps to create Keystore

Steps to create Keystore.

  1. Prepare the Certificate Keystore:

    Execute following keytool command to create new keystore containing a single self-signed Certificate: 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -genkey -alias your_alias -keyalg RSA -keysize 1024 -keystore <keystore file path>

    For example, 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -genkey -alias server_cert -keyalg RSA -keysize 1024 –keystore D:\temp\Key.keystore

    After executing this command, you will first be prompted for the keystore password. Next, you will be prompted for general information about this Certificate. Finally, you will be prompted for the key password, which is the password specifically for this Certificate. Note down these two passwords for future reference. You will need to supply these passwords while configuring TomEE using TomEE Configuration Utility.

  2. Create a local Certificate Signing Request (CSR):

    In order to obtain a Certificate from the Certificate Authority of your choice you have to create Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate. To create a CSR execute following command: 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -certreq -v -alias <your_alias> -file <reqname.csr> -keystore <keystore file path> -ext SAN=DNS:localhost,DNS:<your_machine_name>,IP:<machine_ip_address>

    For example, 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -certreq -v -alias server_cert -file D:\temp\certreq.csr -keystore D:\temp\Key.keystore -ext SAN=DNS:localhost,DNS:machinename1,IP:10.10.10.10

    After executing this command, you will be prompted for the keystore password and the key password. Use the keystore password and the key password created in step 1. You will have a file called certreq.csr that you will have to submit to the Certificate Authority, which, in turn, will provide a Certificate.

  3. Import certificates files into your keystore:

    If you have the chain certificate file (*.p7b), execute the following command to import it into the keystore file created in step 1: 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -importcert -alias <your_alias> -trustcacerts -file <.p7b file path> -keystore <keystore file path> -storetype JKS

    For example, 

    "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -importcert -alias server_cert -trustcacerts -file D:\temp\mycert.p7b -keystore D:\temp\Key.keystore -storetype JKS

    After executing this command, you will be prompted for the keystore password and the key password. Use the keystore password and the key password created in step 1.

    If you do not have chain certificate file, do the following:

    You will need to import the root certificate, intermediate certificates if any, and the certificate issued by your Certificate Authority into the keystore separately starting from a root certificate and ending with the certificate issued by your Certificate Authority.

    Note: Some certificates have several intermediate certificates, and all of them should be imported into the keystore in the correct order, starting with the certificate that was signed by the root and finishing with the intermediate certificate that signs the end-entity certificate. You need to use different aliases for different intermediate certificates.
    1. To import a root certificate, run the following command: 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias <root_alias> -keystore <keystore file path> -trustcacerts -file <filename_of_the_root_certificate>
      For example, 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias root -keystore D:\temp\Key.keystore -trustcacerts -file D:\temp\root.cer
      After executing this command, you will be prompted for the keystore password. Here use keystore password created in Step 1.
    2. To import an intermediate certificate, run the following command: 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias intermediate -keystore <keystore file path> -trustcacerts -file <intermediate_filename>
      For example, 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias intermediate -keystore D:\temp\Key.keystore  -trustcacerts -file D:\temp\cacert.cer
      After executing this command, you will be prompted for the keystore password. Use keystore password created in step 1.
    3. If you have multiple intermediate certificates, use a command similar to the above to import each of the intermediate certificate. Each intermediate certificate must have a unique alias.
    4. To import the certificate issued by your Certificate Authority, run the following command: 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias your_alias -keystore <keystore file path> -file <certificate_filename>
      For example, 
      "<SEE_install_dir>\<operating_system>\code\jre\currentjre\bin\keytool" -import -alias server_cert -keystore D:\temp\Key.keystore -file D:\temp\mycert.cer
      The alias should coincide with the one you indicated when creating the keystore. After executing this command, you will be prompted for the keystore password. Use the keystore password created in step 1.