Creating a CA-Signed Certificate and a Private Key


Use the keytool utility to create a keystore file that contains a private key and a CA-signed certificate that holds a public key.


  1. Create a keystore file containing a local certificate:

    1. Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

      The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

      keytool -genkey -keyalg RSA -alias <aliasName> -keystore <file_path\keystoreFilename.jks>

      The following table displays the parameters for the keytool command:


      Description of Parameter Values


      The alias name for the certificate. The alias name is used to import the CA-signed certificate.


      The file path and file name for the .jks file created by the keytool.


      keytool -genkey -keyalg RSA -alias casigned -keystore "C:\mykeystore.jks"
    2. When prompted, enter the information requested by the keytool command.

      For CA-signed certificates, the company and location information must be accurate, for example, when prompted for the Organization Name, enter the full legal name of your organization.

    3. Make note of the following values:

      • name and location of the keystore file

      • alias name

      • the keystore password

      • the key password

      After the CA-signed certificate is imported into the keystore file, use these values to create the SP metadata XML file. For information, see Configuring Provider Metadata for SAML Integration.

  2. Generate a Certificate Signing Request (CSR) and submit it to the CA.

    1. Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

      The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

      keytool -certreq -keyalg RSA -alias <aliasName> -file <request_file_name.csr> -keystore <file_path\keystoreFilename.jks>

      The following table displays the parameters for the keytool command:


      Description of Parameter Values


      The alias name for the certificate. The alias name is used to import the CA-signed certificate.


      The file name of the .csr file.


      The file path and file name for the .jks file created by the keytool.


      keytool -certreq -keyalg RSA -alias casigned -file certreq.csr -keystore "C:\mykeystore.jks"
    2. Submit the .csr file to your CA according to their procedure.

  3. Import the CA-signed certificate into the keystore file according to the procedure provided by the CA.

    Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

    The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

    keytool -importcert -file <CertificateFileName> -keystore <keystoreFileName> -alias <AliasName>

    The following table displays the parameters for the keytool command:


    Description of Parameter Values


    The file name of the .csr file.


    The file path and file name for the .jks file created by the keytool.


    The alias name for the certificate.


    keytool -importcert -file certificate.cer -keystore "C:\mykeystore.jks" -alias casigned

Was this page helpful?