May 15, 2014 Some will say it is not possible (and seems logical because keytool doesn’t allow it), you will need to create new keystore and generate key pair and issue a new certificate request with the CSR exported from this keystore key pair. That’s not true though, there is always a way. Let’s suppose the original request has been approved and you. Choose JKS as the type for the new keystore we will be creating as it is the most common and will look like what is seen in the image below: Save the keystore with a keystore password when prompted, just like this: Now that we have a keystore created to hold all our keys and certificates, let us try & create a new key pair. The certificate is valid for 365 days. The size of the generated RSA key is 1024 bytes. The password of the private key is 'mykeypass'. The key pair is stored in a keystore file mystore.jck with format JCEKS (if the file does not exist, it will be created). The password of the keystore. You should not be able to read the private key if you generate the key inside the token. You'll need to create a dummy certificate (for example self-signed) and store it with an alias, the keystore model depends on certificates to be usable. To generate a key pair entry in a keystore: From the Tools menu, choose Generate Key Pair. Alternatively click on the Generate Key Pair toolbar button: The Generate Key Pair dialog will be displayed. Select a Key Algorithm and Key Size and press the OK button. Key pair generation will start in the background.
After creating a certificate, the owner must sign the certificate toprevent forgery. E-commerce sites, or those for which authentication of identityis important, can purchase a certificate from a well-known Certificate Authority(CA).
Note –If authentication is not a concern, for example if private securecommunications are all that is required, you can save the time and expenseinvolved in obtaining a CA certificate by using a self-signed certificate.
You need to scan the QR code shown on the site using your mobile phone (or tablet) and perform the required actions on your device.In order to be able to scan the code, use the camera of your phone. For Apple phones, no additional software is required (just point the camera at the QR code and follow the instructions). Most Android-based phones also do not require third-party programs.For those who have problems, we recommend a program for reading QR codes Privacy Friendly QR Scanner (we are not affiliated with this software, but tested this application and it performs the necessary functions).You can download it from google play.
Follow the instructions on the CA's web site for generating certificatekey pairs.
Download the generated certificate key pair.
Savethe certificate in the directory containing the keystore and truststore files.The default is domain-dir/config.
In your shell, change to the directory containing the certificate.
Import the certificate into the local keystore and, if necessary,the local truststore using the following command format:
If the keystore or private key password is not the default password,then substitute the new password for the default (changeit).
To apply your changes, restart GlassFish Server.
See To Restart a Domain.
Certificates are often stored using the printable encoding format definedby the Internet Request for Comments (RFC) 1421 standard instead of theirbinary encoding. This certificate format, also known as Base 64 encoding,facilitates exporting certificates to other applications by email or throughsome other mechanism.
The reply format defined by the Public Key Cryptography Standards #7,Cryptographic Message Syntax Standard, includes the supporting certificatechain in addition to the issued certificate.
For more information about keytool, see the keytool reference page.