keytool is a cryptographic key management utility, provided as a standard component of the Java Development Kit (JDK) – please note, it is not included in the Java Runtime Environment (JRE) – only the JDK.

A capability of keytool is to generate a cryptographic key-pair with a self-signed TLS certificate within a Java Keystore (JKS) file. Only in JDK 7 and above did keytool introduce the ability to add certificate extensions to the certificates it generates.

The following steps can be performed on any computer device that can install and run the Java Development Kit (JDK). It is assumed JDK7 or above has already been installed on this system.

Please note that the “official” FQDN of the SAKA in this example is shown to be saka.domain.name, and the aliases to be embedded in the SAN extension are saka.domain.name, saka01.domain.name and saka02.domain.name. Please replace these examples with your choice of FQDN and aliases within your DNS domain.

On the Client device

1. Log into the machine
2. Start a terminal native to your Operating System
3. Generate a new keystore with key-pair and Self-Signed Certificate. The following example has been expanded with new lines to better show the options provided to keytool. When inputting the command newlines must be omitted.

   shell> <Path to keytool executable> -genkeypair -keystore <Path to writable location>/keystore.jks -sigalg SHA256withRSA -validity 3652 -dname "CN=saka.domain.name,OU=StrongAuth KeyAppliance,O=<Company Name>" -keypass changeit -storepass changeit -keyalg RSA -alias s1as -ext san=dns:saka.domain.name,dns:saka01.domain.name,dns:saka02.domain.name

   Modify the Paths, FQDNs, and company name in the example above. Do NOT change the values to the keypass , storepass, or alias options unless your SAKA has been modified since its installation to not use these default values.
   
   Note: In the above command, the correct alias is critical for Glassfish to properly access the private key. The character highlighted in red text is the number one (1).
   
   The example shown below utilizes the Microsoft Windows platform to generate a certificate for Acme Inc that has a Load Balancer with FQDN saka.acme.com and two SAKA nodes with FQDNs saka01.acme.com and saka02.acme.com respectively:

   shell> "c:\Program Files\Java\jdk1.7.0_71\bin\keytool.exe" -genkeypair -keystore "c:\tmp\keystore.jks" -sigalg SHA256withRSA -validity 3652 -dname "CN=saka.acme.com,OU=StrongAuth KeyAppliance,O=Acme Inc" -keypass changeit -storepass changeit -keyalg RSA -alias s1as -ext san=dns:saka.acme.com,dns:saka01.acme.com,dns:saka02.acme.com

   In SAKA clusters larger than two, as many additional SAKA can be specified to the ext option by appending to the comma separated list more entries like 'dns:<SAKA FQDN>'.
4. View the contents of the new keystore file to confirm details in the certificate.

   shell> <Path to keytool executable> -list -keystore <Path to writable location>/keystore.jks -storepass changeit -alias s1as -v

   Review the output of the command and confirm the certificate extension for SubjectAltenativeName (ObjectID: 2.5.29.17) is present and correct.
5. Export the certificate from the keystore to be used by client applications making TLS connections to the SAKA.

   shell> <Path to keytool executable> -export -keystore <Path to keystore.jks> -storepass changeit -alias s1as -file <Path to writable location>/saka.domain.name.crt

6. Before the new keystore can be installed on the SAKA, the certificate in the crt file must be installed into the truststore of the calling application and the JDK truststore of each Key Custodian's and Domain Administrator's client device.
   
   Use the following command to import a certificate into a Java keystore.
   

   shell> <Path to keytool executable> -import -keystore <Path to Java installation>/jre/lib/security/cacerts -storepass changeit -alias saka.domain.name -file <Path to saka.domain.name.crt>

   Note: You may need Administrative privileges in your shell/terminal when executing this command.
   
   If the alias 'saka.domain.name' already exists in the truststore, it is safe to choose any other alias that does not already exist in the truststore.