How to generate CSR (Certificate Signing Request) Using Java Keytool

This article will help you to generate the java keystore along with Certificate signing request (CSR) using keytool utility available in Java in very simple steps.

However before jumping into actual topic, let’s understands few basic concepts related to security & role of certificates.

1. What is an SSL certificate?
   • A SSL certificates is a type of digital certificate the provide authentication for website and enables an encrypted connection.
   • These certificates tell the client (the one who trying to access your web site) that the host has ownership of domain.
   • You can find more details about this here.
2. What is CSR (Certificate Signing Request)?
   • CSR is particular set of information related to host. For example domain name (www.google.com), country etc.
   • Certificate is always comes in 2 parts. That is public key (CSR) & private key.
   • Public key is always known to the client. While private is always safe with server. To understand it in better way we can take an example our email account. Where our email id is public key (which is always known to other). However, our email password is private key.
3. What is Java Keystore?
   • Java keystore file (extension is .jks) contains the server certificates (public key) including its private key.
   • Each entry in the keystore.jks file has unique alias or name.
4. What is Truststore?
   • Truststore file cacerts.jks, contains application server’s trusted certificates, including public keys for other entities.
   • For a trusted certificate, the server has confirmed that the public key in the certificate belongs to the certificate’s owner. Trusted certificates generally include those of certification authorities (CAs).
   • You can find more details about keystore & truststore in Oracle documentation here.
5. What is Java Keytool utility?
   • Keytool is simple and powerful, key and certificate management utility provided by Java.
   • It allows user to manage their own public/private key pairs along with certificates.

Now let’s say you want to generate the SSL Certificate for your server using below details.

Common Name (Domain Name) 	: www.mysever.com
Organizational Unit 		: My Unit
Organization 			: My Organization  
Locality 			: Monrovia
State 				: California
Country 			: US

Step 1 – Generate the CSR

To generate the CSR of above details using keytool utility, we first need to create the public/private keypair.  Below is the command which we need to use.

keytool -genkey -alias private-keypair -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass changeit -keystore mykeystore -storepass changeit

Note : You can create public/private key with just 2-3 parameters as well. However, I purposefully added extra parameters for demonstration purpose.

Below are  the input details for this command.

• -genkey : This tells keytool that we want to generate public/private keypair
• -alias : Name or Alias of the public/private keypair
• -keyalg : Algorithm for the public/private keypair
• -sigalg : Signing algorithm for this public/private keypair
• -keysize : Keysize of this public/private keypair
• -keypass : Password for this public/private keypair
• -keystore : Name of the keystore file
• -storepass : Password for the keystore file.

Above command will generate the keystore file with name “mykeystore” with keypair “private-keypair”.

Keytool Command Output

Now we will generate the CSR for this generated keypair using below command.

keytool -certreq -alias private-keypair -file ./my-public-key.csr -keypass changeit -keystore mykeystore -storepass changeit -sigalg SHA256withRSA

Above command will generate the “my-public-key.csr” file which contains the actual CSR. This is how your CSR file will look like .

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC8DCCAdgCAQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCE1vbnJvdmlhMRgwFgYDVQQKEw9NeSBPcmdhbml6YXRpb24xEDAO
BgNVBAsTB015IFVuaXQxGDAWBgNVBAMTD3d3dy5teXNldmVyLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Qv2YapM+z2hv1OJ4lpyQovW4mpKlb
wyxF46lnxx7nUCOrt0bX7mqbUSGjbLE1+aRIxjFSai7Jo0gdjw2siKNL6pLnerHh
ns3gNozcPmZ0O4bmXqZ2zhgFPmTzcaKAzhlD+zcQm3hjKbbrm3dUcKDEnXIOxU1S
s9L5qvvP621IWOb12/qcjyLFokvLiXXlt1MYMT9FGr4FF8v5d4i9KHuZhJI+aQkM
MDn2ZW/w30+7TBEz46xyTC+Bt/Oxh5S+51NAJBIrV/wzyLiIMm1qilrCZlbwVbRw
RTBDd1vtTCG7gl2PSFvxLeuL7U2GdqtPy8asrob79Cq7AHFrmcadaYUCAwEAAaAw
MC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFPQIDivS92dzbkaQzKd+Pw+j8HGF
MA0GCSqGSIb3DQEBCwUAA4IBAQBYlgJnVLdm0rr97ds6g07ku4IVbsWNra2Y+yAQ
WMhD52T3aFa6ZT3windJvdZVQst5jHTA4xTCqj4dofNFb/tfFGxURZ/GpkHmDhfU
k57V3y7l52J/Yqj/tFPQzGjswTL1qNkKPmUitEWonNrYtaLcYMmieQq1NQiIBrtg
lUK2RSuVHgQijEzf5SxtukJW7FfXVHqKuyU6ykSLgsrADRu44Y2QV/SrlgVSg5lq
pGWAAMk/4XaCva+HpNtKUiMdBgnkRtNR0fVAbw83itEmF29VerJvUWbKD/TtnE0t
/y5/dwRU+366GpURLq9M8MI4qP29DhNyDXK7mOs0UIXRejHl
-----END NEW CERTIFICATE REQUEST-----

Step 2 – Verify Keystore & Validate CSR

You can validate the above CSR content in online CSR Decode tool as well. You can use below URL Offered by digicert to check and validate your CSR.

https://ssltools.digicert.com/checker/views/csrCheck.jsp

Decode & verify your CSR

You can also check your keystore for generated public/private key pair using below keytool command.

keytool -list -v -keystore myKeystore -storepass changeit

This command will show all the entries available in the keystore along with detailed description.

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: private-keypair
Creation date: Jul 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.mysever.com, OU=My Unit, O=My Organization, L=Monrovia, ST=Califor
nia, C=US
Issuer: CN=www.mysever.com, OU=My Unit, O=My Organization, L=Monrovia, ST=Califo
rnia, C=US
Serial number: 4578e0a1
Valid from: Wed Jul 15 23:11:59 IST 2020 until: Tue Oct 13 23:11:59 IST 2020
Certificate fingerprints:
MD5: 99:09:25:7C:E7:5D:5C:DC:9D:8D:EE:AA:93:31:45:11
SHA1: 0C:D5:1E:FF:0F:CD:99:D8:0B:DF:06:A8:BD:0B:34:F2:D9:13:C1:48
SHA256: 45:EF:82:F7:B2:4C:46:7E:B0:22:31:78:C5:49:BB:E0:2A:52:14:74:3E:
5D:BB:5A:2E:FC:73:D9:05:E3:6D:A9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:
1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 08 0E 2B D2 F7 67 73 6E 46 90 CC A7 7E 3F 0F …+..gsnF….?.
0010: A3 F0 71 85 ..q.
]
]

Step 3 – Send CSR to Certificate Authority (CA) for signing.

In this step, you need to send the CSR to any certificate authority for signing. CA will signed your CSR and provide you the signed certificates. The final signed certificates which you received from CA contains Root certificate, Intermediate certificate and your Server certificate.

There might be multiple Intermediate certificates or no certificates at all. This is depends on the CA and may be optional. The more intermediate certificates more security it provides.

Step 4 – Import Signed Certificates

In this step we will convert the received certificates in to Base64 format (not mandatory) and import the same in to our keystore. Below keytool command is used to import the certificates in to keystore.

keytool -import -alias root -keypass changeit -file "root.cer" -trustcacerts -keystore mykeystore -storepass changeit

keytool -import -alias inter -keypass changeit -file "inter.cer" -trustcacerts -keystore mykeystore -storepass changeit

keytool -import -alias server -keypass changeit -file "server.cer" -trustcacerts -keystore mykeystore -storepass changeit

After you finish with import all the certificates into keystore, you can verify your keystore with keytool list command (refer Step 2).

Updated Keystore after importing the certificates

Now your keystore is ready to serve.