gencert
-gencert {-rfc} {-infile infile}
{-outfile outfile} {-alias alias}
{-sigalg sigalg} {-dname dname}
{-startdate startdate} {-ext ext}*
{-validity valDays} [-keypass keypass]
{-keystore keystore} [-storepass storepass]
{-storetype storetype} {-providername provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}
} {-v} {-protected} {-Jjavaoption}
Generates a certificate as a response to a certificate request file (which can be created by the keytool -certreq command). The command reads the request from infile (if omitted, from the standard input), signs it using alias's private key, and output the X.509 certificate into outfile (if omitted, to the standard output). If -rfc is specified, output format is BASE64-encoded PEM; otherwise, a binary DER is created.
sigalg specifies the algorithm that should be used to sign the certificate.
startdate is the start time/date that the certificate is valid.
valDays tells the number of days for which the certificate should be considered valid.
If dname is provided, it's used as the subject of the generated certificate. Otherwise, the one from the certificate request is used.
ext shows which X.509 extensions will be embedded in the certificate. Read
Common Options for the syntax to use with the
-ext
option.
The -gencert command enables you to create certificate chains. The following example creates a certificate, e1, that contains three certificates in its certificate chain.
keytool -alias ca -dname CN=CA -genkeypair
keytool -alias ca1 -dname CN=CA -genkeypair
keytool -alias ca2 -dname CN=CA -genkeypair
keytool -alias e1 -dname CN=E1 -genkeypair
keytool -alias ca1 -certreq | keytool -alias ca -gencert -ext san=dns:ca1 | keytool -alias ca1 -importcert
keytool -alias ca2 -certreq | keytool -alias ca1 -gencert -ext san=dns:ca2 | keytool -alias ca2 -importcert
keytool -alias e1 -certreq | keytool -alias ca2 -gencert > e1.cert