Generate a certificate authority and trust anchor keystore, using only keytool

genca.sh

#!/bin/bash

export PW=`cat password`

# Create a self signed key pair root CA certificate.
keytool -genkeypair -v \
  -alias exampleca \
  -dname "CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US" \
  -keystore exampleca.jks \
  -keypass:env PW \
  -storepass:env PW \
  -keyalg RSA \
  -keysize 4096 \
  -ext KeyUsage="keyCertSign" \
  -ext BasicConstraints:"critical=ca:true" \
  -validity 9999

# Export the exampleCA public certificate so that it can be used in trust stores..
keytool -export -v \
  -alias exampleca \
  -file exampleca.crt \
  -keypass:env PW \
  -storepass:env PW \
  -keystore exampleca.jks \
  -rfc

Thanks man!

When I run this I get an Illegal Option -ext from keytool.

What version of java does this run under?

My bad - nevermind - just realized the VM i was on was running java 1.6...doooop. Time for donut. Thanks!