This gist show how to create a self signed certificate (bob) and use it to sign a other (alice). So a application only requires to know the public key of bob in order to trust alice, too. The Java Keytool is used.

java-keytool-sign-certificate.cmd

rem # create a new self signed certificate insite the keystore bob.jks. This will act as issuer for the other certificate
rem # It is importent to add the extention BasicConstraints Certificate Authority (bc:c)
rem # Otherwise tools like the JVM will not accept other certificates issued by this 

keytool -genkey -alias bob -keyalg RSA -keypass changeit -storepass changeit -keystore bob.jks -dname CN=bob -ext bc:c

rem # create a other self siged certificate for with we will create a Certificate Sign Request (CSR)

keytool -genkey -alias alice -keyalg RSA -keypass changeit -storepass changeit -keystore alice.jks -dname CN=alice

rem # export bob's public key so it can be used by others

keytool -exportcert -alias bob -keystore bob.jks -storepass changeit -file bob.cer

rem # import bob's public key into the key store of alice, so she can trust him

keytool -importcert -keystore .\alice.jks -storepass changeit -file bob.cer -alias bob -noprompt

rem # create a new certificate sign request (CSR) for alice 

keytool -certreq -alias alice -keystore .\alice.jks -storepass changeit -file alice.csr

rem # sign the CSR from alice using bob's private key

keytool -gencert -infile .\alice.csr -outfile .\alice.cer -alias bob -keystore .\bob.jks -storepass changeit

rem # reimport the certificate signed by bob into the key store of alice

keytool -importcert -file alice.cer -alias alice -keypass changeit -keystore .\alice.jks -storepass changeit