Generate RSA Certificate Signing Request (CSR) for a Certificate Authority (CA) w/ JCEKS Keystore

Java Keytool Introduction

RSA Certificate Signing Request (CSR) for a Certificate Authority (CA) w/ JCEKS Keystore

Generate a Certificate Signing Request (CSR) - RSA with JCEKS Keystore

The following example explains how to create a Certificate Signing Request (CSR) from a RSA JCEKS Keystore. The CSR will be forwarded to an Internal Certificate Authority (CA) or External CA (Thawte, DigiCert, Sectigo and so on) for verification. Keytool command options are listed at the bottom of the page.

The following breaks down the options we will use:

Create the CSR: -v (Verbose)
Name and location of file: site.csr
Signature Algorithm (sigalg): SHA224withRSA / SHA256withRSA / SHA384withRSA / SHA512RSA
Signature Algorithm, Key Algorithm and is valid for 365 days (~1 years).
keytool -certreq -v -sigalg SHA512withRSA -keyalg RSA -validity 365

The password of the private key is "PWKey123" from the previous step. The key pair we created is stored in the keystore file this.keystore with format JCEKS.
-alias serverkey -keypass PWKey123

The keystore file name, the Keystore is of JCEKS type and password of the keystore is "changeit".
-keystore this.keystore -storetype jceks -storepass changeit

The first name is the Domain Name Service (DNS) will reference. The others listed maybe used for Subject Alternative Names
-ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1

Creating a Certificate Signing Request (CSR) from an RSA JCEKS keystore

Create the Certificate Signing Request (CSR)

 Copy keytool -certreq -v -file site.csr -sigalg SHA384withRSA -alias serverkey -keypass PWKey123 -keystore this.keystore -storetype jceks -storepass changeit -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1

Check the keys and keystore creation

 Copy keytool -printcertreq -file site.csr

RSA_JCEKS

RSA based options

-sigalg SHA256withRSA or SHA384withRSA or SHA512withRSA - Default is MD5withRSA Please use SHA256withRSA or SHA384withRSA or SHA512withRSA
-keyalg Keysize ranges from 512 bits to 16,384 bits - Default is 1024!Please use 2048 or preferred 4096 - Safari breaks with anything greater than 4096 and most browsers cannot handle greater than 8192

PREVIOUS NEXT