To Create a Java KeyStore and Trust Certificates

In this procedure, you generate a public key and a private key. You designate an alias for the KeyStore that contains the private key. Next, you generate a self-signed certificate only. Finally, you generate both a self-signed certificate and a certificate from Certificate Authorities. A certificate, required by most clients, authenticates the public key. An HTTPS connection, which uses TLS, requires these things.

  1. Open a terminal, and on the command line, enter a Java keytool command to create the keys in a KeyStore:

    keytool -genkey -alias serverkey -keyalg RSA -keystore httplistener.jks

  2. Respond to the prompts to enter a password for the KeyStore. The following output shows example responses:

    • Enter keystore password: mule123

    • Re-enter new password: mule123

  3. Respond to prompts to enter other values. You can enter arbitrary values. The following output shows example responses:

    • What is your first and last name? [Unknown]: max

    • What is the name of your organizational unit? [Unknown]: MuleSoft

    • What is the name of your organization? [Unknown]: MuleSoft Inc

    • What is the name of your City or Locality? [Unknown]: San Francisco

    • What is the name of your State or Province? [Unknown]: CA

    • What is the two-letter country code for this unit? [Unknown]: 01

  4. In response to the following prompt, enter yes.

    Is CN=kahn, OU=MuleSoft, O=MuleSoft Inc, L=San Francisco, ST=CA, C=01 correct? [no]: yes

  5. Respond to the following prompt. For example, use the same password by entering RETURN.

    Enter key password for <serverkey> (RETURN if same as keystore password):

  6. Enter the command to export a self-signed certificate authenticating the public key.

    keytool -export -alias serverkey -keystore httplistener.jks -file server_cert.cer
  7. Respond to the prompt to enter the password you set up for the KeyStore associated with the certificate.

    Enter keystore password: mule123

  8. Alternatively, instead of exporting just a self-signed certificate, generate both a certificate from Certificate Authorities and a self-signed certificate using a single command:

    keytool -genkeypair \
        -keystore httplistener.jks \
       -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" \
       -keypass mule123 \
       -storepass mule123 \
       -keyalg DSA \
       -sigalg SHA1withDSA \
       -keysize 1024 \
       -alias mulekey \
       -ext SAN=DNS:localhost,IP: \
       -validity 9999

In this topic:

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.