Skip to end of metadata
Go to start of metadata


  • Keytool is installed as part of a Java Runtime Environment installation. If using BIPST, keytool can be found in <BIPST Install directory>\BISupport\bin
  • For further documentation on how to use Keytool or when encountering issues while using keytool, see the Oracle documentation here. 


All bolded parameters should be replaced by values appropriate to your environment

Generate the Private Key, Keystore, and a public CA certificate

  1. Open a command line window
  2. Navigate to %JAVA_HOME%\bin
  3. Generate a public key, self-signed certificate, private key and keystore:
    1. Run: keytool -genkeypair -alias CASERVER -keysize 2048 -keyalg RSA -keystore "C:\Keytool\CAsign.jks" -validity 365 -ext bc:c -storepass Password1
    2. Answer the prompts
  4. Export the self-signed certificate
    1. Run: keytool -exportcert -keystore "C:\Keytool\CAsign.jks" -storepass Password1 -alias CASERVER -file "C:\Keytool\cacert.pem" -rfc

Sign a certificate signing request

  1. Copy a certificate signing request to the system (myserver.p10, myserver.csr etc.)
  2. Sign the certificate signing request
    1. keytool -gencert -infile "C:\Keytool\myserver.p10" -validity 365 -keystore "C:\Keytool\CAsign.jks" -alias CASERVER -outfile C:\Keytool\myserver.pem -v
  3. Copy myserver.pem and cacert.pem to your destination computer


  • Only one certificate authority should exist per environment
  • No labels