Creating the service keystore

Note: given the rm commands below, it is probably best to create a new directory and navigate to it before running these commands from a terminal window.

rm *.p12 *.pem *.jks *.cer
openssl req -x509 -days 36525 -newkey rsa:2048 -sha256 -keyout servicekey.pem -out
    servicecert.pem -passout pass:sspass

This command is interactive. Enter the answers for the following questions, for example:

Country Name - US
State or Province Name - New York
Locality Name - Buffalo
Organization Name - Sample Web Service Provider -- NOT FOR PRODUCTION
Organizational Unit Name - IT Department
Common Name - www.service.com
Email Address - service@service.com

openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out 
   service.p12 -name myservicekey -passin pass:sspass -passout 
   pass:skpass

This creates a pkcs12 certificate. Note the skpass value will be used both for the keystore and the private key itself.

keytool -importkeystore -destkeystore servicestore.jks -deststoretype jks -deststorepass
   sspass -deststoretype jks -srckeystore service.p12 -srcstorepass
   skpass -srcstoretype pkcs12

This places the certificate in a new JKS keystore. The keystore's password is changed here to sspass, but the private key's password retains the earlier value of skpass.

keytool -list -keystore servicestore.jks -storepass sspass -v

The list command is just to show the keys presently in the keystore.

keytool -exportcert -alias myservicekey -storepass sspass -keystore 
   servicestore.jks -file service.cer
keytool -printcert -file service.cer
rm *.pem *.p12

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here