Creating a client key pair and certificate

Follow these steps to create a client key pair and a client certificate.

  1. Choose a password for the key store.

    Suppose you choose the password secretClientPassword.

  2. On the client system, issue the following command to create the client's public/private key pair.

    You will be prompted to enter the password plus some identifying information (your input is marked bold):

    keytool -genkey -alias MyClientName -keystore ~/vault/ClientKeyStore
Enter keystore password: secretClientPassword
What is your first and last name?
[Unknown]: MyFirstName MyLastName
What is the name of your organizational unit?
[Unknown]: Proofreading Department
What is the name of your organization?
[Unknown]: Name of my bookstore
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: NY
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=MyFirstName MyLastName, OU=Proofreading Department, O=Name of my bookstore, L=New York, ST=NY, C=US correct?
[no]: yes


Enter key password for <MyClientName>
   (RETURN if same as keystore password):
  3. Next, create a certificate for this client. Enter the command all on one line: 
    keytool -export -alias MyClientName \
-keystore ~/vault/ClientKeyStore  -rfc -file ClientCertificate \
-storepass secretClientPassword
    This command creates a file called ClientCertificate. Later, you will import this file into the server's trust store.
Parent topic: Configuring SSL/TLS
Related concepts
Booting the server and connecting to it
Key and certificate handling
Starting the server with SSL/TLS
Running the client with SSL/TLS
Other server commands
Related tasks
Creating a server key pair and certificate
Importing certificates