Last updated on June 24th, 2025 at 07:52 am
If you’re working on a local Java application and need to enable HTTPS, one of the quickest ways to do it is by generating a self-signed SSL certificate using Java Keytool. While these certificates aren’t trusted by browsers for public sites, they’re perfectly fine for development and internal testing.
In this guide, I’ll walk you through how to generate your own certificate using Keytool, export it if needed, and even import it into another keystore.
More information ORACLE REFERENCE
What Is a Self-Signed Certificate?
A self-signed certificate is an SSL certificate that is signed by the same entity whose identity it certifies. That means you’re acting as your own Certificate Authority (CA). These are:
- Not recommended for production, since they won’t be trusted by browsers
- Great for development, internal apps, or local testing
Step 1: Generate the Keystore and Certificate
You can use the following command to create a keystore file (keystore.jks) and generate a self-signed certificate:
keytool -genkeypair \
-alias selfsigned \
-keyalg RSA \
-keysize 2048 \
-sigalg SHA256withRSA \
-validity 365 \
-keystore keystore.jks \
-storepass changeit \
-dname "CN=localhost, OU=Dev, O=YourCompany, L=City, ST=State, C=US" \
-ext SAN=DNS:localhost,IP:127.0.0.1
Here’s what each part means:
-keysize 2048: Uses a secure RSA 2048-bit key-sigalg SHA256withRSA: A modern, secure signing algorithm-validity 365: Certificate will be valid for 1 year-ext SAN=...: Adds Subject Alternative Names which are required by modern browsers and tools
Make sure to replace the dname values with your own organization or domain details.
Step 2: Export the Certificate (Optional)
If you want to share the certificate with others or import it elsewhere, export it using:
keytool -exportcert -alias selfsigned -keystore keystore.jks -file selfsigned.cer -rfc
This generates a .cer file in PEM format that you can distribute or import into other keystores.
Step 3: Import the Certificate into Another Keystore (Optional)
If another Java application needs to trust this certificate, you can import it into its truststore like this:
keytool -import -alias selfsigned -file selfsigned.cer -keystore truststore.jks -storepass changeit
This helps when you’re running a secure connection between services internally.
Step 4: Verify the Keystore
Once everything is done, you can list the details of your keystore to verify:
keytool -list -v -keystore keystore.jks
Look for:
- The alias (
selfsigned) - Validity dates
- Subject Alternative Names (SANs)
Summary
By using Java Keytool, you can quickly create a secure keystore and certificate for local testing or internal services. Just remember: don’t use these in production—they won’t be trusted by browsers and can lead to security warnings.
Let me know in the comments if you ran into any issues.
