Jul 09, 2019 If the Private Key key file is lost, you’ll need to reissue your Certificate. Can I generate a new Private Key for my Certificate if I lose the old one? You can generate a new private key and CSR, or use the automatic CSR and key generation during Certificate reissue (this option is available for all Certificates except for the Multi. Recommended Method: Use the DigiCert Java Keytool CSR Wizard. Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR. Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal. The Java keytool utility creates both your private key and your certificate signing.
If you already have your SSL Certificate and just need to install it, see
SSL Certificate Installation :: Java Web Servers.
How to generate a CSR using Java Keytool
**NOTE: You must generate a new keystore through this process. If you try to install a new certificate to an old keystore your certificate will not work properly. Backup and remove any old keystores if necessary before beginning this process.
Recommended: Save yourself some time by using our new Java Keytool CSR Wizard to create your CSR with Keytool. Just fill in the details, click Generate, and paste your customized keytool command into your terminal.
If you prefer to roll your own keytool commands to generate your CSR, just follow our old instructions below:
You will be using the keytool command to create your new key-CSR pairing. Enter the following:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore yourdomain.jks
'Yourdomain' is the name of the domain you are securing. However, if you are ordering a Wildcard Certificate, do not include * in the beginning of the filename as this is not a valid filename character.
You will be prompted for the DN information. Please note: when it asks for first and last name, this is not YOUR first and last name, but rather your domain name and extension(i.e., www.yourdomain.com). If you are ordering a Wildcard Certificate this must begin with *. (example: *.digicert.com)
Confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm. Make sure to remember the password you choose.
Next, use keytool to actually create the Certificate Signing Request. Enter the following:
keytool -certreq -alias server -keyalg RSA -file yourdomain.csr -keystore yourdomain.jks
Again, 'yourdomain' is the name of the domain you are securing. (without the * character if you are ordering a Wildcard Certificate).
Enter the keystore password.
Then the SSL Certificate CSR file is created. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the DigiCert web order form.
After you receive your SSL Certificate from DigiCert, you can install it.
See SSL Certificate Installation :: Java Web Servers.
How to generate a Certificate Signing Request for your Java Web Server
Run keytool to generate a new key pair in the defaultdevelopment keystore file, keystore.jks. This exampleuses the alias server-alias to generate a new public/privatekey pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated by using an algorithm oftype RSA, with a default password of changeit. For moreinformation and other examples of creating and managing keystore files, readthe keytool online help at http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.
RSA is public-key encryption technology developed by RSA DataSecurity, Inc.
From the directory in which you want to create the key pair, run keytool as shown in the following steps.
Generate the server certificate.
Type the keytool command all on one line:
When you press Enter, keytool prompts you to enterthe server name, organizational unit, organization, locality, state, and countrycode.
You must type the server name in response to keytool’sfirst prompt, in which it asks for first and last names. For testing purposes,this can be localhost.
When you run the example applications, the host (server name) specifiedin the keystore must match the host identified in the javaee.server.name property specified in the file tut-install/examples/bp-project/build.properties.
Export the generated server certificate in keystore.jks intothe file server.cer.
Type the keytool commandall on one line:
If you want to have the certificate signed by a CA, read the exampleat http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.
To add the server certificate to the truststore file, cacerts.jks, run keytool from the directory where you createdthe keystore and server certificate.
Use the following parameters:
Information on the certificate, such as that shown next, will appear:
Type yes, then press the Enter or Return key.
The following information appears:
Related Posts