Creating a client key pair and certificate

Follow these steps to create a client key pair and a client certificate.

  1. Choose a password for the key store.

    Suppose you choose the password secretClientPassword.

  2. On the client system, issue the following command to create the client's public/private key pair.

    You will be prompted to enter the password plus some identifying information (your input is marked bold):

    keytool -genkey -alias MyClientName -keystore ~/vault/ClientKeyStore
    Enter keystore password: secretClientPassword
    What is your first and last name?
    [Unknown]: MyFirstName MyLastName
    What is the name of your organizational unit?
    [Unknown]: Proofreading Department
    What is the name of your organization?
    [Unknown]: Name of my bookstore
    What is the name of your City or Locality?
    [Unknown]: New York
    What is the name of your State or Province?
    [Unknown]: NY
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=MyFirstName MyLastName, OU=Proofreading Department, O=Name of my bookstore, L=New York, ST=NY, C=US correct?
    [no]: yes
    Enter key password for <MyClientName>
       (RETURN if same as keystore password):
  3. Next, create a certificate for this client. Enter the command all on one line:
    keytool -export -alias MyClientName \
    -keystore ~/vault/ClientKeyStore  -rfc -file ClientCertificate \
    -storepass secretClientPassword
    This command creates a file called ClientCertificate. Later, you will import this file into the server's trust store.
Related concepts
Booting the server and connecting to it
Key and certificate handling
Starting the server with SSL/TLS
Running the client with SSL/TLS
Other server commands
Related tasks
Creating a server key pair and certificate
Importing certificates