Creating CA using keytool

Hi ,

how to create our own CA using keytool utility ? i find some articles using openssl.. please point some link if any. Thanks.

You cannot use the current keytool as a CA. The version in Java 7 will probably support it, and for now you can write code using the X509V3CertificateGenerator from Bouncy Castle if you know what you’re doing.

Thanks for the information Carey. I will check the link later as i cannot access the link now. Basically i m trying to do this without any Java API.

if you have not got any solution then you may use following steps. I got it from some site and used in a year back, so don't remember the reference
SETTING UP YOUR CA ----------------------------------- 1). Need to have OpenSSL( free open source software) installed on the machine. 2). Create directories to hold your CA keys, your server keys and, if You want to use SSL client authentication, your client keys. 3) Create a private key and certificate request for your own CA: openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout ssl/ca/ca.key 4). Create your CA's self-signed certificate (note lasts one year - increase the days setting to whatever you want): openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in ssl/ca/ca.csr -out ssl/ca/ca.pem openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer Step 5. Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore $JAVA_JOME/jre/lib/security/cacerts -file ssl/ca/ca.pem -alias my_ca Step 6. Create a file to hold your CA's serial numbers. This file starts with the number "2": echo "02" > ssl/ca/ca.srl

Thanks Pankaj .
Can i create CA in a machine (installed with openssl) and use the CA to sign the certificate in another machine ?

Yes, i don't think that this is not possible. But one thing you should keep in mind..this is just a dummy and self signed CA