certificate issue

Hello Guys,

I have few queries on certificates or i can say confusion.

I am successfully able to generate certificate in JKS format vai keytool with below information
let say file name XYZ.jks
Is CN=, OU=EAI, O=, L=, ST=, C= correct?

Queries :-

  1. While giving this XYZ.JKS to my CA for singing purpose which certificate I need to provide in (CSR) format?
    Do I need to extract public key and give to CA for singing OR I need to provide private key ?

  2. In IS Admin console Security --> Keystore --> Alias
    A. Keystore list { Here what all files or certificate we will upload can you pls confirm ?
    B. In Trustore list { Here what all file or certificate we will upload can you pls confirm ?

C. While going through inside trust store properties in section called certificate Alias
While providing public certificate to target apps or client then

  1. Is it tagged with certificate with Alias Name Is it ?
  2. How come client/target apps will identify which certificate need to be a line or Sync with via Alias Name Is it ?
  3. Let say i have diff alias name but certificate information in trust store is same so how cm target/client apps will identify which certificate need to be Sync or a line ?

Hi Vinay,

can you provide a sample keytool command you are using for certificate creation?

We create private key and CSR using OpenSSL.

Private key is private and should never be needed by someone else.

CA will be given the CSR and will return the signed certificate together with their signing certificate chain.

Private key and signed certificate will form the JKS- or PKCS12-Keystore.
The signing certificate chain will form the JKS-Truststore.


I have been using below keytool cmd for JKS file generating.

Step 1. JKS File :-
keytool -genkey -alias sampleJKS -validity 730 -keystore D:\certificates\sample2016_keystore.jks

Step 2. Extract public key and provide to CA for Signing
keytool -export -alias sampleJKS -keystore D:\Certificates\sample2016_keystore.jks -rfc -file D:\Certificates\sample2016_publickey.cer

Extracted public key and provide to CA for Signing and then CA team will provide below chain ?
a. signed public cert
b. intermediate cert
c. root ca cert

Step 3. singed CSR and private key will store in keystore in WM
Here can you pls provide command to combine Signed CSR and private key via keytool please?

Step 4. CA provide intermediate cert and root ca cert will uploaded in Trust store. pls confirm this steps?

Can some one please review above steps and confirm for constructiveness ?

I believe in step 3.

We will be providing this signed public CSR certificate to external apps/client ??

where as, private key / Intermediate cert and root ca cert will form a JKS file which will be uploaded in key store in WM


Intermediate cert and root ca cert in JKS file will be uploaded in trust store in WM

Please validate and confirmed ?

Hi Vinay,

This one is already a signed certificate (signed against itself).

keytool -import -trustcacerts -alias -file .{cer|pem} -keystore .jks

If there a multiple intermediate CAs, you will have to repeat the command for all of them in reverse order by using the same jks-file for -keystore parameter:

  • I1 CA based on RootCA
  • I2 CA based on I1 CA

Root CA should be a CA already available in cacerts in the jvm (-trustcacerts refers to these CAs).

You can check this with the following command:
keytool -list -keystore /cacaerts -storepass changeit

The Truststore will be needed by both systems (local and remote), but the keystore should not be needed to exchange between local and remote system.