Java Keytool - Generate CSR

A Certificate Signing Request (CSR) is required when applying for an SSL certificate. This CSR (and private key) can be generated on your webserver. To request a wildcard certificate, fill in an * (asterisk) for the subdomain, for example * (instead of

There are a variety of server and router products that make use of Java. To be able to manage certificates, Java contains the keytool command. This manual describes how to generate a Private key and CSR with the use of the keytool command. In this example we make use of the /etc/ssl/cert/ directory, and is used as the FQDN common name. You should replace all occurrences of in the commands with the domain name where the certificate should be issued for.

It is recommended to perform these operations via a SSH session, since the CSR can then be easily be copied to a browser for the submission of the request. First we create a keypair, and then the CSR created from this basis.

Generate Private Key

  1. Log in to the server and change to root.
  1. Create a directory to store the certificate files in, and navigate into this directory: [root@server]# mkdir /etc/ssl/cert[root@server]# cd /etc/ssl/cert
  2. Generate the Private Key with the following command: [root@server cert]# $JAVA_HOME/bin/keytool -genkey -keysize 2048 -alias www_servercertificates_com -keyalg RSA -keystore www_servercertificates_com.jks
  3. Here, the switches used in the command have the following meanings:
    • genkey - generates a new keypair (private key + public key).
    • alias [name] - Sets the referenced name for the keypair.
    • keyalg [encryption algorithm] - sets the used encryption algorithm for this keypair, in the above command we're using RSA.
    • keystore [filename] - sets the filename of the keystore (the file where the certificates are stored in). The keystore is always protected with a password.
      Note: When working on a Windows system, $JAVA_HOME should be replaced with %JAVA_HOME% in the command.
  4. Enter a unique and secure password to protect the Private Key with and store this in a secure place. (The default is changeit).
  5. Enter the requested details of your organization in the required fields.
    Note: The question "What is your first and last name?" is a bit confusing - you should enter the FQDN here where the certificate should be issued for (like, and not your first and last name.
  6. After submitting the required fields, there will be asked to double-check the values. :Is, OU=Xolphin Support, O=Xolphin B.V., L=Heerhugowaard, ST=Noord-Holland, C=NL correct?[no]:Type yes followed by Enter.
  7. There will be asked for an keystore-password. Specify the same password as that specified for securing the certificate store in step 4. Enter key password for <www_servercertificates_com>(RETURN if same as keystore password):
    Note: an incorrect password can cause the following error message: Cannot recover key. Try again with the correct password.

Generate CSR

  1. Now create the CSR with the following commands: [root@server cert]# $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias www_serversertificates_com -file www_serversertificates_com.csr -keystore www_serversertificates_com.jks
  2. Here, the switches used in the command have the following meanings:
    • certreq - makes that an CSR will be created that is based on the previously generated Public Key
    • file [filename] - sets the name of the CSR that will be created
  3. Secure the directory so that only the root user an access: [root@server cert]# chmod 600 *.key *.csr *.jks
  4. The file www_serversertificates_com.csr is the Certificate Signing Request. You can view it's content via the cat command: [root@server cert] cat www_serversertificates_com.csr

To order a certificate, copy the entire contents of the generated CSR, including the first and last line and all dashes.

Order certficate


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up