How to Generate a CSR for a Code Signing Certificate via Java Keystore

Important Update!

Starting from June 1st, 2023, a new security measure is in place for code signing certificates. All code signing certificates must now be stored on hardware meeting specific security standards such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents.

As a result, the process of obtaining and installing certificates has changed. Certificate Authorities no longer support browser-based key generation, creating CSRs, and installing certificates on laptops or servers. Instead, if you opt for token + shipment as your code signing delivery method, the CA will handle CSR generation. Alternatively, if you prefer to use your Hardware Security Module (HSM), check the guides below or follow your HSM provider’s instructions for CSR generation.


The following text contains outdated information, no longer applicable to CSR generation for code signing certificates.

When you request a code signing certificate, you must provide information about yourself and your company in an encoded text file called a CSR (Certificate Signing Request). This file contains details such as your name, organization (if applicable), and email address. During CSR creation, you’ll get two files: the CSR itself, which you’ll need to provide when you enroll for the certificate, and a private key that you should keep secret and use during installation.

To generate a CSR using Keytool, ensure you have the Java Development Kit (JDK) installed on your server or computer. 

How to Use Keytool to Generate a CSR

Follow the steps below to generate a CSR for a code signing certificate in Linux or Windows with the help of the Java Development Kit.

1. Create the Keystore and Key File

First, in the keystore prompt, run the command to create a keystore and key file:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks

2. Submit Your Contact Data

Next, enter the following required CSR details:

  • Enter a keystore password. Choose a secure password. Re-enter the password for confirmation.
  • Submit your first and last name.
  • Enter the official name of your organization. Double-check it.
  • Next, enter the name of your City or Locality and the State or Province where your organization is registered.
  • Enter the two-letter country code for your location. 
  • Once you have provided all the necessary information, you must confirm if the CN is correct. The CN should be in the format of “CompanyName or Firstname Lastname, OU=DeparmentName, O=CompanyName, L=City, ST=State, C=CountryCode.”
  • Lastly, enter a password for the key.

This command will generate a Java keystore file named keystore.jks.

3. Generate the CSR Using the Keytool

To generate a CSR from your keystore, follow these simple steps:

  1. Open up your command prompt.
  2. Type in the following command:
    keytool -certreq -alias server -file csr.csr -keystore keystore.jks
  3. Hit Enter and enter your keystore password (created in step 2) when prompted.

That’s it! This command will create the CSR and private key with the .csr and .jks file extensions.

Final Steps – Complete Your Order

After you generate a CSR using keytool, copy its contents, including the header —–BEGIN NEW CERTIFICATE REQUEST—- and footer —–END NEW CERTIFICATE REQUEST—– tags, and paste them into the relevant box on your code signing vendor account. Select “Java” as your code signing certificate type and complete the enrollment process. The Certificate Authority should sign your code signing cert in one or several business days, depending on the validation type.

Save 10% on SSL Certificates when ordering today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.