-2

I got two question regarding the Java keytool. Can I generate csr for trustedCertEntry?

I also executed this command:

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

for a trustedCertEntry but I get error:

keytool error: java.lang.Exception: Alias <mydomain> has no key

which means a trustedCertEntry cannot generate csr? Or I need to have something, or a key to generate csr file?

user207421
  • 305,947
  • 44
  • 307
  • 483
MC123
  • 1
  • 2
  • 2
    A CSR is signed by your private key; since keytool uses keystore files you must have a privatekey entry, which is a privatekey plus cert(s) _in_ a keystore file. A trustedCert entry is only a cert with no privatekey, and you cannot create a CSR using only a cert without the privatekey. PS ITYM 'command' not 'comment'. – dave_thompson_085 Nov 14 '17 at 05:10

1 Answers1

1

I need to have something, or a key to generate csr file?

Correct. You need a keypair. You can't generate a CSR from somebody else's certificate. Otherwise the whole X.509 system would be insecure.

user207421
  • 305,947
  • 44
  • 307
  • 483