Keytool - Generate SSL certificate request (CSR)

Last updated on 06 Sep 2023, 13:18:32.
Category: All about SSL certificates

CSR Java Keytool Tomcat

What is Keytool?

Keytool is a command-line utility that allows you to manage keystores, public and private keys, and SSL certificates for Java-based web servers, such as Tomcat or JBoss. Certificates and key pairs are stored in a secured keystore. This article explains how to create a new keystore and how to generate a Certificate Signing Request file using keytool. If you already obtained your certificate from the certificate authority, you may wish to read «: How to install an SSL Certificate using keytool ».

How to generate a CSR with keytool?

Step 1: Connect to your server

Connect to your server using the SSH (Secure Shell) protocol. Windows doesn't have a built-in SSH client, Kinamo recommends you download the free and popular PuTTY client. If you're working on a Mac OS X or Linux desktop, you simply open a terminal window and type in the following command, taking care to replace the servername with the hostname or IP address of your own server.

ssh -l root server.com

After typing in your password, you'll be connected to the server.

Step 2: Create a keystore

SSL certificates, keys and CSR's are usually kept in a single directory on your server, but the exact folder may vary according to your distribution. For illustration purposes, we'll be using /etc/ssl/certs in this article.

Go to your certificate directory:

[root@server ~]# cd /etc/ssl/certs
[root@server certs]#

Execute the following command to create a keystore and a new private key:

[root@server certs]# keytool -genkey -alias www_server_com -keyalg RSA -keysize 2048 -keystore www_server_com.jks

If your java bin directory is not included in your path, you'll get a command not found error. In that case, prepend either $JAVA_HOME$ to the command for Linux / Unix / Mac OS X systems, or %JAVA_HOME% for Windows operating systems.

Replace www_server_com with your own server name in the preceding command.

You will be prompted for a keystore password, which must be at least 6 characters long.

Next, you will be prompted to enter your organisation information. You should be careful to enter your company information in exactly the same way it is displayed in WHOIS records for your domain name, and that it corresponds with your company data as entered in your country's company registry at incorporation.

What is your first and last name?: www.server.com
What is the name of your organizational unit?: Kinamo
What is the name of your organization?: Kinamo
What is the name of your City or Locality?: Antwerpen
What is the name of your State or Province?: Antwerpen
What is the two-letter country code for this unit?: BE
Is CN= www.server.com, OU= Kinamo, O= Kinamo, L= Antwerpen, ST= Antwerpen, C= BE correct?: Yes
Enter the password for or enter "RETURN" if it is the same as the keystore password.

Note that the first and last name question is quite confusing: you should not enter your actual first and last name as an answer, but the FQDN (fully-qualified domain name) you're requesting the certificate for. If you're generating a CSR for a wildcard certificate, enter *.server.com.

Step 3: Generate a CSR from your keystore

Create the Certificate Signing Request file with the following command:

[root@server certs]# keytool -certreq -keyalg RSA -alias www_server_com -file www_server_com.csr -keystore www_server_com.jks

Enter your keystore password when prompted. This will create a file called www_server_com.csr in your certificate directory.

Step 4: Check the CSR contents

You can check whether you entered the correct data in your CSR with the following command:

[root@server certs]# openssl req -in www.server.com.csr -noout -text
Certificate Request:
 Data:
 Version: 0 (0x0)
 Subject: C=BE, ST=Antwerpen, L=Antwerpen, O=Kinamo NV, CN=www.server.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:d0:e1:e4:87:0a:82:6c:7d:4b:75:40:cf:91:b1:
 21:81:9c:90:6e:b6:63:f4:4e:d6:40:7d:b1:3b:1b:
 30:78:04:bf:3c:fc:32:c1:24:49:8b:7b:d3:d7:19:
 2e:4b:9a:d1:54:c2:44:2a:7c:08:ba:39:bf:28:62:
 e8:f7:bf:70:1c:c0:6c:0b:88:b9:24:af:8d:11:0a:
 b5:7b:1f:b5:d5:ed:4a:56:8f:61:d3:d5:26:97:fa:
 ab:5f:68:6b:1d:74:4e:af:80:f1:d9:a0:9d:e1:e3:
 9d:4e:86:8d:51:ba:c3:f4:f3:49:df:1a:06:f1:b8:
 a5:29:91:9d:7f:9c:3b:43:43:c5:bf:b0:5a:eb:35:
 aa:3f:9a:45:a5:ad:f4:65:de:5c:d2:c0:cc:b6:e0:
 b8:d9:ed:50:99:1f:ed:ca:bb:ef:b8:1c:c8:c0:84:
 16:1f:35:11:fb:34:7b:99:02:9d:8e:7c:04:3d:fc:
 0b:60:28:f8:a3:4d:ba:dc:c8:d3:a7:6a:6c:79:cf:
 1a:6d:95:43:9d:c3:65:da:73:fc:53:22:1d:56:50:
 11:02:79:5a:f6:58:4f:c0:e7:b0:50:51:72:37:50:
 c8:d6:20:e0:cc:65:df:f0:fe:ea:80:15:cb:88:19:
 9b:14:4f:58:5b:3c:fe:2c:48:09:dc:dc:53:62:a1:
 ab:b9
 Exponent: 65537 (0x10001)
 Attributes:
 a0:00
 Signature Algorithm: sha256WithRSAEncryption
 09:75:3e:03:e6:14:39:2f:45:d7:51:26:ce:67:93:48:d6:da:
 5a:82:35:fe:0a:dc:d3:b7:31:a4:8b:8e:c2:a8:c8:ca:cb:0d:
 97:60:bc:bb:eb:2e:3c:d0:5d:b9:5e:c7:3e:31:13:28:4d:09:
 6a:71:d1:b4:9b:8e:bd:84:33:85:03:7d:1f:4d:44:b4:16:cf:
 39:6a:cc:d8:de:ae:ba:22:9e:9b:be:c6:bc:03:5b:77:d6:f3:
 2e:f2:4f:93:ad:af:96:14:c4:67:84:70:b9:ea:26:38:19:70:
 4d:12:3c:91:f7:5b:a7:05:e8:34:92:5d:5b:05:a3:d5:10:cd:
 38:4d:28:44:32:23:82:99:52:a5:37:93:ae:3b:49:dd:8f:44:
 74:1b:36:a6:2b:61:70:d3:9e:fc:2d:f9:9b:48:de:d2:ae:94:
 80:d3:be:e6:76:23:99:29:24:67:4d:b1:75:a9:0f:1f:6c:c8:
 15:5a:9d:b5:a4:b6:04:4f:45:10:96:42:e8:1f:00:b8:00:1b:
 07:8a:cd:4a:f9:9e:87:99:fc:9a:0a:ec:22:c5:51:3a:96:97:
 fd:89:a4:c2:a6:be:31:11:96:76:e8:5b:65:1d:b3:78:9d:aa:
 f6:4d:bb:04:ad:59:a8:c3:35:b2:50:0a:d9:17:58:db:ef:71:
 8e:1c:79:41

Step 5: Copy the CSR contents

Print out the contents of the certificate request file to your screen:

[root@server certs]# cat www_server_com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICozCCAYsCAQAwXjELMAkGA1UEBhMCQkUxEDAOBgNVBAgMB0FudHdlcnAxEDAO
BgNVBAcMB0FudHdlcnAxEjAQBgNVBAoMCUtpbmFtbyBOVjEXMBUGA1UEAwwOd3d3
LnNlcnZlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhdEF7
Dj/6KHLqY/5+5tN+NHRG0Mo+sWCtlmJ707yzYnqQAc7+ilVfBNWdlX68I/gTsgdp
QlojCRiqtXLFFNB0pvWOYUsvfk/1bcDww7MgbrDFYP0jGEO2L9OF+0UhZ94kgyeF
jkxtJSLXcfKNjbjgx8h4motMkYiwB/Ovg+dmPBo4uyvKZFNEV23zMaYvPFKItryl
lWkoHt71UIfXGIuoRXo4wPzkz4fyBveu1xun7TshyTaZXf6H+F643P8i0KqNg7f+
ZTjO0dKek58XN5VvjWzfKyolraRFrxek3vLqNCmuBXptdhQOOCaWXZrXd0s6vz8N
N+xerzw2jCeXY/kDAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAK3KXIyW7Dt9R
63Bx6dVpdP7vMubPWR/uDRKQLAXoDca4ztRoADI1Y3VKBec6DsS6kkseK/pfdhLM
HxjE7rE/yGwYpfCV9KuGe7khEuaw/gS7EhHHLZZpyhuYLuTBoIKCJN6ucHPiyMHQ
eCJyUeuPuty3SsLM06PqHg6KBO2MAMiHZulIrheJjDWX017jP0mjkmyPNZ1sQ8Se
e3KcS0ghCpPKmwmtm7fjNEnB0LgcaEc2niDkL5IM2Ck0UYBD6JxdkNW5A+7cS9r9
ResC/vbhf8GGvOh+SWryO1ngoNAIxXv0WrEQJsfDjkuMAAbmWhJYjym9d6IzKHBF
ZZ8MjgW5EQ==
-----END CERTIFICATE REQUEST-----

Copy the full text of the CSR, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines and their dashes, and paste the contents into Kinamo's certificate request form.


Related articles

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

SHA1, SHA2 and SHA256 SSL algorithms

SHA is a mathematical algorithm used in SSL encryption to verify the validity of the certificate's signature. Different iterations of...

Read more

Why do I see a yellow warning triangle on an HTTPS secured website?

The yellow warning triangle you may see when visiting a webpage that's secured with SSL, is an indication that Google...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: