Using Java Keytool

This guide describes the following scenarios:

• Create key pair and certificate request

• Import certificates

• Import digital ID

Create key pair and certificate request

(This method is not used for digital IDs from the UCAM.)

To create a certificate request you can use the two commands below. The private key will be saved in the Java key store and the certification request in the required PKCS#10 format in xxx-req.pem. The alias you need to specify depends on your application:

keytool -genkey -alias xxx -keyalg RSA -keysize 4096

keytool -certreq -keyalg RSA -keysize 4096 -alias xxx -file xxx-req.pem

Zertifikate importieren

To import the GÉANT TCS CA-certificates for server certificates, which you can download here as text files in PEM format, you can use the following commands:

keytool -import -alias rsa-root-2021 -file rsa-root-2021.pem

keytool -import -alias rsa-server-2021 -file rsa-server-2021.pem

keytool -import -alias rsa-acme-2021 -file rsa-acme-2021.pem

keytool -import -alias ecc-root-2021 -file ecc-root-2021.pem

keytool -import -alias ecc-server-2021 -file ecc-server-2021.pem

keytool -import -alias ecc-acme-2021 -file ecc-acme-2021.pem

Your own certificate can then be imported with this command:

keytool -import -alias xxx -trustcacerts -file xxx.crt

Digitale ID importieren

To import the contents of a PKCS#12 file into a Java keystore, you can use the following command:

keytool -v -importkeystore
  -srckeystore xxx.p12 -srcstoretype PKCS12
  -destkeystore xxx.jks -deststoretype JKS