How to Generate a Digital Certificate Using Keytool
This tutorial is a part of our DigiSigner tutorial and explains in detail how to generate digital certificates using keytool. key and certificate management tool.
We also show how to do the same task using the graphical interface of our DigiSigner tool, tiny PDF viewer and signer. You can download DigiSigner for Windows, Mac or Linux from our download page.
Generate digital certificate using keytool
Keytool is a utility for generating and managing cryptographic keys and certificates. Keytool is a part of Java installation, so you need to have Java on your computer to be able to use keytool. You can download Java from Java web site.
After you have downloaded and installed Java you can start using keytool immediately. You will find the keytool utility file in the JAVA_HOME/bin directory. JAVA_HOME is here the directory where you installed your Java environment. On my Windows computer keytool.exe is under C:\Program Files\Java\jre6\bin.
Now you should open your shell or command prompt, how it is called on Windows (on Windows it is under Start -> All Programs -> Accessories -> Command Prompt ).
If you are on Windows, type the following command and press enter. On Unix use the same command but replace backslash (\) with slash (/).
JAVA_HOME\bin\keytool -genkeypair -alias my_certificate -keystore my_keystore.pfx -storepass my_password -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
On my Windows computer the command looks like this:
"C:\Program Files\Java\jre6\bin\keytool" -genkeypair -alias my_certificate -keystore my_keystore.pfx -storepass my_password -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
Some information about parameters:
my_certificate is the alias for your certificate in the key store. Normally you will never use it, but every new certificate in your key store must have its own alias.
my_keystore.pfx is the key store file, which will be generated as the result of the process. It will contain your certificate and a corresponding private key.
You will be able to reuse this key store for next certificates you maybe will generate. One key store can contain many certificates.
my_password is the password, that protects your key store file. You will have to enter it every time you want to sign a document.
validity is the number of days your certificate will stay valid. You can enter more than 365.
RSA is the algorithm used to generate the cryptographic keys, corresponding to your certificate.
2048 is the length of the cryptographic keys. The more the length the stronger the signature.
pkcs12 is the format of the key store file. PKCS#12 (a.k.a PFX) key stores can be understood by a lot of different programs and you can also import a PKCS#12 file in your Windows key store (just double click it and follow the instructions).
For additional information about parameters by certificate generation please see the official keytool documentation.
During the certificate generation process you will be prompted to enter some information about you. This information will be saved in your certificate. At the end you have to confirm the entered information.
That's how it looks like on my computer:
At the end you will find the new key store file my_keystore.pfx in your current directory. You can register this key store with DigiSigner and use your certificate to sign PDF documents. For more information go to PDF signing instructions.
Generate digital certificate using DigiSigner (graphical interface)
For those who prefer graphical interface, you can generate a digital certificate using our DigiSigner tool. You can download it here.
You need to start DigiSigner, go to the Signature menu and choose the Generate certificate menu item
Then enter your personal data in the Certificate Generation dialog. Fields marked with an asterisk are required.
Then click on Generate and get your certificate generated. That's all.