When working with Java applications that use SSL/TLS, you often need a digital certificate to enable secure communication. For development and internal testing, you can generate your own self-signed certificate using the Java Keytool command-line utility.
What Is Java Keytool?
Java Keytool is a command-line tool that helps manage keystores and certificates. It allows developers to:
- Create self-signed certificates
- Import and export certificates
- Manage public and private keys
A keystore (.jks file) acts as a secure container where certificates and keys are stored, protected by a password.
Keytool Command Syntax
Here’s the command to generate a new self-signed certificate:
keytool -genkey -keyalg RSA -alias dinselfsigned -keystore dinKeyStore.jks -storepass myStorePassword -validity 360 -keysize 2048
Command Breakdown
| Option | Description |
|---|---|
-genkey | Instructs Keytool to generate a new key pair (private + public) and a self-signed certificate. |
-keyalg | Defines the encryption algorithm. Commonly used: RSA, DSA, or EC. |
-alias | A name (label) used to identify this specific certificate within the keystore. |
-keystore | The name of the keystore file where the keys and certificates will be stored. |
-storepass | Password used to protect the keystore. |
-validity | Duration (in days) for which the certificate will remain valid. |
-keysize | Key length (e.g., 2048 bits) — larger size means stronger encryption. |
Example Walkthrough
Example command:
C:\Users\dinesh.k.masthaiah\Documents\exported certs>
keytool -genkey -keyalg RSA -alias dinselfsigned -keystore dinKeyStore.jks -storepass myStorePassword -validity 360 -keysize 2048
When you run this, Keytool will prompt for identifying information:
What is your first and last name?
[Unknown]: Dinesh Masthaiah
What is the name of your organizational unit?
[Unknown]: IT Dept
What is the name of your organization?
[Unknown]: Din Inc.
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Dinesh Masthaiah, OU=IT Dept, O=Din Inc., L=Bangalore, ST=Karnataka, C=IN correct?
[no]: y
You will also be asked to create a key password — you can press Enter to reuse the keystore password.
Understanding Certificates and Keystores
- Digital Certificate (SSL Certificate)
A digital file that contains the public key and identifying details of the owner.
Common formats:.cer,.pem. - Private Key
A secret key linked to the certificate. Used for decryption and signing. - Keystore (
.jks)
A password-protected repository that stores certificates, keys, and trusted entries.
Example:
myKeyStore.jks
Exporting a Certificate from the Keystore
Once the self-signed certificate is created, you can export it from the keystore into a standalone .cer file:
keytool -export -keystore dinKeyStore.jks -alias dinselfsigned -file dinselfsigned.cer
Output:
Enter keystore password:
Certificate stored in file <dinselfsigned.cer>
This exported .cer file contains the public key and certificate details — it can be shared with other systems or servers to establish SSL/TLS trust.
Example: Complete Workflow
C:\MyWorkspace\MyJavaKeyStore>
keytool -genkey -keyalg RSA -alias dinselfsigned -keystore dinkeystore.jks -storepass dinstorepass -validity 360 -keysize 2048
This creates:
- A new keystore file:
dinkeystore.jks - A self-signed certificate with alias
dinselfsigned - A validity of 360 days
Key Takeaways
- Use Java Keytool to create and manage SSL certificates easily.
- Always protect your keystore and keys with strong passwords.
- Use self-signed certificates for development and testing only — not for production.
- For production systems, obtain a certificate from a trusted Certificate Authority (CA).
References
- Java Security — Keytool Documentation
- Android Developer Security Tips
- SSL Certificate Basics (Mozilla)