Generating Your Key Pair

The first thing that you need to do is create a keystore and generate the key pair. You can use a command such as the following command:

 keytool -genkeypair -dname "cn=Mark Jones, ou=Tivoli, o=IBM, c=US"
 -alias business -keypass kpi135 -keystore C:\working\mykeystore
 -storepass ab987c -validity 180

Note that this command must be typed as a single line. Multiple lines are used in the examples just for legibility purposes.

This command creates the keystore named "mykeystore" in the "C:\working" directory (assuming it doesn't already exist), and assigns it the password "ab987c". It generates a public/private key pair for the entity whose "distinguished name" has a common name of "Mark Jones", organizational unit of "Tivoli", organization of "IBM" and two-letter country code of "US". It uses the default "DSA" key generation algorithm to create the keys, both 1024 bits long.

It creates a self-signed certificate (by using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 180 days, and is associated with the private key in a keystore entry that is referred to by the alias "business". The private key is assigned the password "kpi135".

The command could be significantly shorter if option defaults were accepted. As a matter of fact, no options are required; defaults are used for unspecified options that have default values, and you are prompted for any required values. Thus, you could have as short a command as the following command:

keytool -genkeypair

In this case, a keystore entry with alias "mykey" is created, with a newly generated key pair and a certificate that is valid for 90 days. This entry is placed in the keystore named ".keystore" in your home directory. (The keystore is created if it doesn't already exist.) You will be prompted for the distinguished name information, the keystore password, and the private key password.

The rest of the examples assume that you executed the -genkeypair command without specifying the options, and that you responded to the prompts with values equal to those values that were given in the first -genkeypair command, listed previously (such as a private key password of "kpi135").

Generating an ML-KEM KeyStore entry with a Signer KeyStore entry

You can use the following KeyTool commands to generate an Elliptic Curve (EC) KeyStore entry and then generate a Module Lattice - Key Encapsulation Mechanism (ML-KEM) KeyStore entry that is signed by that EC KeyStore entry.

Command 1: Generate EC Signer KeyStore entry

keytool -keystore ks -storepass changeit \
       -genkeypair -alias ec -keyalg EC \
       -dname CN=EC -ext bc

This command creates a keystore named "ks" (or uses the existing one if it already exists) with the password "changeit". It generates a public/private key pair by using the EC algorithm and stores it with the alias "ec". The distinguished name is set to "CN=EC" (Common Name = EC). The `-ext bc` parameter adds a BasicConstraints extension to the certificate, marking it as a Certificate Authority (CA), which allows it to sign other certificates.

Command 2: Generate ML-KEM KeyStore entry

keytool -keystore ks -storepass changeit \
        -genkeypair -alias mlkem -keyalg ML-KEM-768 \
        -dname CN=ML-KEM -signer ec

This command uses the same keystore "ks" with password "changeit" and generates a key pair by using the post-quantum ML-KEM-768 algorithm (where 768 denotes the security parameter). The key pair is stored with the alias "mlkem" and has a distinguished name of "CN=ML-KEM".

The certificate that contains the ML-KEM public key cannot be self-signed because ML-KEM is a key encapsulation algorithm and not a digital signature algorithm. The "-signer ec" parameter specifies that the private key of the previously created EC key pair (with alias "ec") will be used to sign this new certificate.

Note that in this example, the -signerkeypass parameter is not specified because the signer's key password is the same as the keystore password ("changeit"). If the signer's key has a different password, you must include the -signerkeypass parameter followed by that password.