To Create a CSR with keytool and Generate a SignedCertificate for the Certificate Signing Request
Generate a Java key pair and keystore: keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048. Generate a certificate signing request (CSR) for an existing Java keystore: keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr. Generate a keystore and self-signed certificate. (Use keytool -list to see the contents of the keystore.) Make sure the certificate category is set to Identity. Upload the client certificate file in JKS format. Enter the keystore and key passwords used to create the JKS store.
Keytool Create Jks
Perform the following operations from the command line.
Generate the Certificate Signing Request.
Generate a signed certificate for the associated Certificate SigningRequest.
Use the keytool to import the CA certificate into the client keystore.
Use the keytool to import the signed certificate for the associatedclient alias in the keystore.
Caution –The following error will be generated if there is no certificatechain in the client certificate.
This error is because the CA’s certificate was not imported intothe KeyStore first. You must import theCA's certificate (step 4), then import the client.cer file itself to forma certificate chain (step 5).
Now that we have a private key and an associating certificate chainin the KeyStore clientkeystore, we canuse it as a KeyStore for client (adapter)authentication. The only warning is that the CA certificate must be importedinto the trusted certificate store of the web server to which you will beconnecting. Moreover, the web server must be configured for client authentication(httpd.conf for Apache, for example).