Create a certificate signing request

The next step is to get the node certificate signed by your CA. To do this you must generate a Certificate Signing Request (CSR) with the keytool -certreq command:

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \

The same alias that you specified when creating the public/private key-pair in Generate a node private key and certificate.

The SubjectAlternativeName list for this host. The -ext parameter is optional and can be used to specify additional DNS names and IP Addresses that the certificate will be valid for. Multiple DNS and IP entries can be specified by separating each entry with a comma. If this option is used, all names and ip addresses must be specified in this list.

The resulting file — node01.csr — is your Certificate Signing Request, or CSR file.

Send the signing request

Send the CSR file to the Certificate Authority for signing. The Certificate Authority will sign the certificate and return a signed version of the certificate. See Signing a CSR if you are running your own Certificate Authority.


When running multiple nodes on the same host, the same signed certificate can be used on each node or a unique certificate can be requested per node if your CA supports multiple certificates with the same common name.