1 Generating a keystore and creating an entry
2 adding entries to a keystore that already exists
3 Viewing the information in the KeyStore
4 Exporting a digital certificate file
5 Importing a digital certificate into your own JRE certificate store
6 Remove a digital certificate from the certificate store of the JRE
1. Generate a KeyStore and create an entry
Keytool -genkey -keystore "D:\keystore\hellocj.keystore" -alias testcj -keyalg RSA -validity 365
as shown in figure:
Command after the return, we need to enter a string of information, respectively, the KeyStore password, first name and last name, etc.
as shown in figure:
The red boxes in the image above are all manually typed. First and last name here is generally filled out a domain name, I fill in here is localhost, my keystore password is used HELLOCJ
After you have typed y enter in the image above
As shown in figure:
If you want the key password for this entry named TESTCJ to be the same as the KeyStore password, enter directly, and I'll let the key password for this entry be TESTCJ, so I'll enter TESTCJ
as shown in figure:
Okay, here we are. The KeyStore is created, and an entry named TESTCJ is added to the KeyStore, and the KeyStore password is HELLOCJ,TESTCJ the secret key password for this entry is TESTCJ
Note: If you feel that the step-by-step input is not scientific, you can use the following command to complete all of the above operations:
Keytool -genkey -keystore "D:\keystore\hellocj.keystore" -alias testcj -keyalg RSA -validity 365 -dname "Cn=localhost, ou=org, O=ORG.CJ, l= Kunming, st= Yunnan, c= China" -keypass TESTCJ -storepass HELLOCJ
as shown in figure:
2. Add an entry to a keystore that already exists
In the 1th chapter is about creating a KeyStore file and adding an initialization entry, so if the KeyStore file already exists, we want to add an entry to it. For example, I want to add an entry named Cjtomcat to it, and the password set for the entry is HelloWorld then my command is:
Keytool -genkey -keystore "D:\keystore\hellocj.keystore" -alias "Cjtomcat" - Keyalg "RSA" -validity 365 -dname "cn=127.0.0.1,ou=org, O=ORG.CJ, l= Kunming, st= Yunnan, c= China" -keypass " HelloWorld"-storepass "HELLOCJ"
as shown in figure:
3. View the information in the KeyStore
Okay, I have a keystore now, I know the password for the KeyStore, I want to see what's stored in the KeyStore, and the command is:
Keytool -list- v -keystore D:\keystore\hellocj.keystore -storepass
as shown in figure:
After you enter, you can see the CMD screen output the following information:
4. Export the digital certificate file for an entry
OK, the KeyStore also has, the entry also has, I want to the entry named Cjtomcat information and the public key exported to a digital certificate file, the digital certificate file name I named Cjtomcat.cer, the command is as follows:
Keytool -alias "Cjtomcat" -exportcert -keystore D:\keystore\hellocj.keystore - File D:\keystore\cjTomcat.cer -storepass "HELLOCJ"
Export success
as shown in figure:
You can double-click Open cjtomcat.cer file to see
as shown in figure:
5. Import the digital certificate into your own JRE certificate library
The digital certificate is generally stored in a server's domain name and public key, the server certificate needs to be imported into the client's JRE, I have just generated the Cjtomcat.cer this certificate as server-related information. Now I want to import the digital certificate with the entry name Cjtomcat into my local JRE trusted certificate library, the import command is:
Keytool -import -alias "Cjtomcat" -keystore C:\Java\jdk1.8.0_40\jre\lib\security\cacerts -file D:\keystore\cjTomcat.cer -trustcacerts -storepass Changeit
Description: Changeit is the default password for Cacerts This certificate store, because we need to operate cacerts This certificate library file, so we need to enter the library password, C:\JAVA\JDK1.8.0_40\JRE need to replace with your own JRE directory
After you enter, you will be asked to trust the certificate stored in the Cjtomcat.cer
as shown in figure:
Enter y return
as shown in figure:
6. Remove a digital certificate from the certificate Library of the JRE
This digital certificate with the entry name Cjtomcat I don't want to trust him anymore, I'm going to remove him from my local JRE certificate library, and the command is:
Keytool -delete -alias "Cjtomcat" -keystore " C:\Java\jdk1.8.0_40\jre\lib\security\cacerts" -storepass Changeit
Description: Changeit is the default password for Cacerts This certificate store, because we need to operate cacerts This certificate library file, so we need to enter the library password, C:\JAVA\JDK1.8.0_40\JRE need to replace with your own JRE directory
as shown in figure:
7. Other Instructions
The parameters in the above command are not explained, many are very intuitive, a brief description of the -alias specified entry name,-keyalg "RSA" specified encryption algorithm with RSA,-keystor specified KeyStore file, If the directory has spaces, use double quotation marks. -validity 365 The specified validity period is 365 days. The suffix name of the keystore can be any name, or it may not even be a suffix name.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
