# Java Keystores and Truststores#

## Java Keystore File for TLS#

Access to the Presto coordinator must be through HTTPS when using Kerberos and LDAP authentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. These keys are generated using keytool and stored in a Java Keystore file for the Presto coordinator.

The alias in the keytool command line should match the principal that the Presto coordinator will use.

You’ll be prompted for the first and last name. Use the Common Name that will be used in the certificate. In this case, it should be the unqualified hostname of the Presto coordinator. In the following example, you can see this in the prompt that confirms the information is correct:

keytool -genkeypair -alias presto -keyalg RSA -keystore keystore.jks
What is your first and last name?
[Unknown]:  presto-coordinator.example.com
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=presto-coordinator.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]:  yes


You can use keytool to import the certificate to the truststore. In the example, we are going to import presto_certificate.cer to a custom truststore presto_trust.jks, and you will get a prompt asking if the certificate can be trusted or not.