My objective is to use keytool to create a certificate signing request (CSR), then take that CSR and make an actual cert to add to the keystore, add it, such that SSL (HTTPS//my.site.com) will work. This is for testing purposes.
So far I have done the following steps:
-
Generate a keystore for my CSR:
keytool -genkey -dname "CN=test.com, OU=TEST, O=Test, L=TestCity, ST=Florida, C=US" -alias tomcat -keyalg RSA -keysize 2048 -keystore test.keystore -storepass changeit
-
Generate the CSR:
keytool -certreq -alias tomcat -file request.csr -keystore test.keystore -storepass changeit
-
Generate a server key to use with openSSL to create a signed cert. This required a password "changeit" and then a conversion to remove the password for the server.key:
openssl genrsa -des3 -out server.key 2048
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
-
Generate my signed cert using the CSR:
openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
-
Finally, import the cert into my keystore.
keytool -import -trustcacerts -file server.crt -keystore test.keystore -alias tomcat -storepass changeit
The result is the following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Best Answer
I am not sure the following is right, but it seems to work. Cobbling some steps together from various web sites, executing these commands generate a keystore that works for SSL connections via tomcat. It does it pieces parts which will let me test each piece of my system.