Java keytool is a key and Certificate Management Utility. itAllows users to manage their own public/private key pairs and certificates. Java keytool stores the keys and certificates in what is called a keystore.Keytool keystore contains
The private key and any certificatesNecessary to complete a chain of trust and establish the trustworthiness of the primary certificate.
Each certificate in a Java keystore is associated with a unique alias. when creating a Java keystore you will first create. jks file that will initially only contain the private key. you will then generate a CSR and have a certificate generated from it.
Then you will import the certificate to the keystore including any root certificates.
Below, we have listedMost common Java keytool keystore commandsAnd their usage:
Java keytool commands for creating and importing
These commands allow you to generate a new Java keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.
- Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks
- Generate a Certificate Signing Request (CSR) for an existing Java keystore
keytool -certreq -alias "mydomain" -keystore keystore.jks -file mydomain.csr
- Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
- Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
- Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias "selfsigned" -keystore keystore.jks -storepass "password" -validity
Java keytool commands for checking
If you need to check the information within a certificate, or Java keystore, use these commands.
- Check a stand-alone Certificate
keytool -printcert -v -file mydomain.crt
- Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
- Check a particle keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Other Java keytool commands
- Delete a certificate from a Java keytool keystore
keytool -delete -alias "mydomain" -keystore keystore.jks
- Change a Java keystore Password
keytool -storepasswd -new new_storepass -keystore keystore.jks
- Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt
- List trusted ca certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import New CA into trusted certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
FROM: http://nl.globalsign.com/en/support/ssl+certificates/java/java+based+webserver/keytool+commands/