What is the relationship between this JKS file and the name of the
self-signed certificate contained inside of it?
A JKS keystore is a container of certificates, private keys or shared keys. What it exactly contains depends on which commands have been used. You can have multiple entries. Each entry is identified by its alias.
Meaning, do I now have an SSL cert named "mykeys" inside this key store?
No, here, mykeys.jks
is just the file name. You can rename this file as you wish, it won't affect its content.
In addition, "certificate name" can have multiple meanings depending on the context.
In general (not specifically within the context of Java keystores) the certificate name would be its Subject Distinguished Name (Subject DN): this is what identifies its subject. This is what's filled in by answering the questions ("What is your first and last name?" and so on), or you can pre-fill this using -dname
.
The CN within that Subject DN (also the answer to "What is your first and last name?") is often used by various certificate management tools as the short name for the certificate (if there is a list or table). For a server certificate, it would also be recommended to use the CN as the main host name for the server (it would even be mandatory if you're not using a Subject Alternative Name extension).
You can add additional SAN using the -ext
option (e.g. -ext SAN=dns:your.host.name
). Using SANs is the recommended way (at all times), but many people don't do it when generating their certificates with keytool
(possibly because tutorials rarely mention it, since it was only introduced with the version bundled with Java 7).
keytool -genkey -keyalg RSA -alias selfsigned
-keystore mykeys.jks -storepass password -validity 360 -keysize 2048
Bonus question: can a single keystore (JKS file) have more than 1 cert inside of it? If so, how might I add a 2nd SSL cert named, say, my2ndcert to this same JKS file?
What -genkey
(renamed -genkeypair
in more recent versions) does is create a key-pair and also wrap the public key into a self-signed certificate. It will put it in the selfsigned
alias entry (in your example).
If mykeys.jks
didn't exist, it will be created. If it already exists, it will be modified (only if the store password matches the password of the existing file of course).
You can use other alias names if you wish. You can also import certificates (without a private key) using -importcert
(or -import
).
keytool -list
will list the content of a keystore, including private key entries, or certificate entries, all with their respective alias names.
Note that, if you're going to use a certificate that isn't self-signed, you'll need to generate a certificate request from that key pair you've generated, and re-import the certificate issued by your CA into that alias (in fact, you'll need to import the full chain in that entry if a chain is required). This will overwrite the self-signed certificate initially created with -genkeypair
.