Java Key Store- Asymmetric Encryption

Set up a Java KeyStore and TrustStore for Asymmetric encryption


1) Create keystore directory and set permissions to 744.

# mkdir /root/keystore
# chmod 744 /root/keystore
# cd /root/keystore

2) To create a key pair in a new keystore, determine the following:
• The alias of the key
• The password for the key
• The size of key. It can be 1024 bits or higher.
• The password for the KeyStore
• The filename of the KeyStore
• The Distinguished Name for the X.509 certificate

3) To create the key pair in a new keystore, execute the following command:

keytool -genkey -alias {keyalias} -keyalg RSA -keystore {keystore filename} -storepass {keystore password} -keypass {key password} -dname "{DN for X.509 certificate}" -storetype JKS -keysize {size of key}

4) Consider the following scenario:
• The key’s alias is PrivateKeyAlias
• The password for the key is PrivateKeyPwd
• The size of key is 1024 bits.
• The KeyStore password is 123456.
• The KeyStore filename is private.keystore.
• The X.509 certificate’s DN is

CN=root OU=Development, O=org, L=Pune, S=Maharashtra, C=INDIA
In the above scenario, execute the following command to create the key pair and

keytool -genkey -alias PrivateKeyAlias -keyalg RSA -keystore  private.keystore -storepass 123456 -keypass PrivateKeyPwd  -dname "CN=root OU=Development, O=org, L=Pune, S=Maharashtra, C=INDIA" -storetype JKS -keysize 1024


5) # chmod 640 private.keystore


6) Create password file named private.keystore.passwords and put following contents.


7)# chmod 440 private.keystore.passwords


8) Create a TrustStore by performing the following steps:

a) Use the keytool command to extract the public key from the Keystore and then save that to a file named public.cert.

For example, if the private key’s alias is PrivateKeyAlias and the KeyStore’s filename is private.keystore,
then execute the following command:

keytool -export -alias PrivateKeyAlias -keystore private.keystore -rfc -file public.cert -storepass 123

b)Use the keytool command to create a TrustStore that contains public certificate extracted from the KeyStore.

For example, if the public key’s alias is PublicKeyAlias and the TrustStore’s filename is public.trustore, then
execute the following command:

keytool -import -alias PublicKeyAlias -file public.cert -keystore  public.truststore -storepass 123


c) # chmod 644 public.truststore


8) create file with name public.truststore.passwords with contents-



9) # chmod 644 public.truststore.passwords


10) Done




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s