Buy from the highest-rated provider   Buy Certificate x

How to Create a Self Signed Certificate using Java Keytool

Java Keytool LogoSecuring your Java application with an SSL certificate can be extremely important. Fortunately, it is (usually) quite simple to do using Java Keytool. Most situations require that you buy a trusted certificate, but there are many cases when you can generate and use a self signed certificate for free.

When to Use a Keytool Self Signed Certificate

An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party. A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. However, self signed certificates have their place:

Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

  • An Intranet. When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • A Java development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to a server that uses a self signed certificate until it is permanently stored in their certificate store.

Apache Self signed Certificate Error in Firefox

Generate a Self Signed Certificate using Java Keytool

Now that you know when to use a Keytool self signed certificate, let's create one using a simple Java Keytool command:

  1. Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. c:\Program Files\Java\jre6\bin on Windows machines).
  2. Run the following command (where validity is the number of days before the certificate will expire):
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
  3. Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g.

Java Keytool Self Signed Certificate command

This will create a keystore.jks file containing a private key and your sparklingly fresh self signed certificate. Now you just need to configure your Java application to use the .jks file. If you are using Tomcat, you can follow our Tomcat SSL Installation Instructions.

For more information on creating a Java Keytool Self Signed Certificate, see the following links:

Originally posted on Sat Oct 30, 2010



Good stuff, thanks. Can you explain why neither my Firefox nor Explorer browsers are encrypting the info (as reported by FF's Page Info)? I created the cert and changed the Tomcat server.xml and that seems to be working fine.
I was under the impression that a self-signed cert would allow me to send data encrypted, granted from an untrusted site, but if I "accept the risks", shouldn't the data be encrypted?


I need to generate the secured links that can be emailed to the customer. When user clicks on the email link it should perform a Single Sign-On. Could you advise how I can send encrypted URL to customer via email using SSL? I need it urgently. Please help!

Melvin Lai(2014-12-13)


I followed your step exactly the way you typed but I get an keytool error when I tried to create a self-signed cert.

The error shows: "keytool error: keystore.jks <access is="" denied="">

I thought that command is to create a keystore.jks? Why am I getting this error then?


during generating the self-signed root certificate, key pair is generated. but not in separate fiels but somewhere part of certificate. Is is possible to export both keys?

thanks Pavol


Enter key password for <selfsigned>
(RETURN if same as keystore password):
keytool error: D\tmp\keystore.jks (The system can
not find the path specified)


keytool error
Reply #2 on : Tue March 06, 2012, 23:16:06

I followed your step exactly the way you typed but I get an keytool error when I tried to create a self-signed cert.

The error shows: "keytool error: keystore.jks <access is="" denied="">


is there any code available for generate keys via key tool by java code... If it is available, please share it..


I have done all your steps. I have created the .jks file but now i don't now what to do.
Can you explain please?



The the .jks file was created. What's now?
Youu have got this question already, but i did not founf teh answer for it.


Dellanio Alencar(2014-12-13)

Anyone can tell me if it's possible to sign a Java Applet with selfsign certificate?


I have created a selfsigned certificate using your command and can see in the keystore -list a selfsigned certicate. but when i use jarsigner to apply to my .Jar file it gives me error: Certificate chain not found for keystore.jks. keystore.jks must reference a valid keystore key entry containing a private key and corresponding pulbic key certificate chain.

Suma Gopalakrishna(2014-12-13)

If you are using a build.xml and running ant, you would have mentioned a property tag with a file attribute = or any other filename where you store some variables to be read by ant. Now in the add the following lines,\\suma\\MYAPP\\VER1.0\\keystore.jks

where should just give absolute path name of the .jks file generated and alias should be assigned whatever you mentioned for -alias in the keytool command.
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048



i have tried generating keys but getting the below exception.
"keytool error: keystore.jks (Access is denied)"

Do i need the admin rights for generating the keys.

Puneet Pahuja

Bharat Bhushan(2014-12-15)

That's probably because you don't have write permissions in the directory you're executing the command from...I had the same problem when I tried to execute the command from c:\program files\....\jre\bin. It worked fine when I change the directory to desktop!


I am working in an application where https page is shown in an iframe.So i want to skip the SSL browser warning page? Can some one suggest how to do that?

Krishna Chaitanya P(2014-12-13)

That might be because you do not have permissions to write to the place where you are trying to create the keystore. Try saving the keystore to a different place maybe:

keytool -genkey -keyalg RSA -alias selfsigned -keystore /tmp/keystore.jks -storepass password -validity 360 -keysize 2048


Open the cmd.exe by Run as administrator... and it`s work...


Steps to Convert HTTP to HTTPS:
1. To generate Keypair and password:
JDK_Home\bin>keytool -genkeypair -alias Tomcat -keyalg RSA
Provide some preliminary details and give password as "changeit"(Password should be any)
2. Edit the file:-
<connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" minsparethreads="5" maxsparethreads="75" enablelookups="true" disableuploadtimeout="true" acceptcount="100" maxthreads="200" scheme="https" secure="true" sslenabled="true" keystorefile="${user.home}/.keystore" keystorepass="changeit" clientauth="false" sslprotocol="TLS"/>
Note: keystorePass = "changeit" (Here Password Should be same as the password which is provided in Step.1)


I am doing exactly the same what you have done. Previously it was working fine for me. Now i am trying to do the same setup in a new machine, created a keystore and setup the https server.xml file. While accessing the wsdl using data - Connect to webservices wizard it throwing me the error
There was an error during service introspection.
WSDLException: faultCode=OTHER_ERROR: Unable to resolve imported document at ' PKIX path building failed: unable to find valid certification path to requested target



i'm writing a client-server application for Android devices, so i don't want to use any browsers. Will the above procedure work?



OK so ive tried this over and over and my key is nowhere to be found. I used jre7\bin to store it and after I created it, its not showing up in that directory? Nor can It be found when I search windows.

Roy Hutton(2017-01-20)

You have to set the directory you want the jks file to go in using the above command


keystore.jks is generated but where is a certificate?
X.509 certificate is needed


I know this is more than a year old, but it was the first search result from my Google search.

This command will export an X.509 certificate for you:
keytool -export -alias selfsigned -keystore keystore.jks -rfc
-file X509_certificate.cer

Yamini Singh(2017-04-05)



You're rock mate!


After creating a Keystore with the cmd option listed. What is is called and where was it created?


Hi Shawn,

The file is called whatever you specify in the command (it is keystore.jks in the example) and it is placed in the directory where you ran the command.


No .crt file is created. The certificate and the key are both contained in the .jks file.

Tayfun DEGER(2015-09-19)

Many Thanks :)

Er TuŞhär LäkHerą(2016-03-11)

How I create an apk file coz from where I enter the URL in key store path


I am unable to see the keystore.jks file in mybin location

Rodolfo (2016-09-13)

\you can include the path to save your keystroke.jks, example: c:\temp\keystroke.jks.

keytool -genkey -keyalg RSA -alias selfsigned -keystore c:\temp\keystore.jks -storepass password -validity 360 -keysize 2048

Pixelstech Net(2016-09-17)

After generating the keystore which stores the certificate, it can be exported to a certificate if necessary. The command should be :

keytool -export -keystore examplestore -alias signFiles -file Example.cer

If a certificate chain is needed, you can refer to which has a great example.

Yogesh Mude(2017-02-10)

I have created .csr and .jks files now i need to .cert/.crt file.
how do i created these file.

Sanjyota Patil(2017-10-30)

i am getting following error:
Keytool error: keystore.jks (Access is denied)
suggest me solution, please.


Run it with admin privileges




Advertisement • Hide