Keytool

Generate a private key

ECDSA P-256 is the recommended default in 2026 — smaller keys, faster handshake, equivalent strength to RSA 3072 (also produces a self-signed cert):

keytool -genkeypair -alias ${{ ALIAS }} -keyalg EC -groupname secp256r1 -keystore ${{ KEYSTORE }}

If you need RSA (legacy interop), use 4096-bit:

keytool -genkeypair -alias ${{ ALIAS }} -keyalg RSA -keysize 4096 -keystore ${{ KEYSTORE }}

From the keystore:

keytool -certreq -alias ${{ ALIAS }} -file my_certreq.csr -keystore ${{ KEYSTORE }}

cat my_cert.pem intermediate-ca.pem root-ca.pem > fullchain.pem
keytool -import -keystore ${{ KEYSTORE }} -alias ${{ ALIAS }} -file fullchain.pem

keytool -list -keystore ${{ KEYSTORE }} -v