Skip to content

Instantly share code, notes, and snippets.

@Hakky54

Hakky54/java_keytool_cheat_sheet.md

Last active November 14, 2024 14:03
Show Gist options
  • Save Hakky54/7a2f0fcbcf5fdf4674d48f1a0b31c862 to your computer and use it in GitHub Desktop.
Save Hakky54/7a2f0fcbcf5fdf4674d48f1a0b31c862 to your computer and use it in GitHub Desktop.
Download ZIP
Keytool Cheat Sheet - Some list of keytool commands for create, check and verify your keys
Raw
java_keytool_cheat_sheet.md

Keytool CheatSheet 🔐

Some history

This cheat sheet came into life when I started working on a tutorial of setting up one way tls and two way tls, which can be found here: GitHub - Mutual TLS SSL

Creation and importing

Generate a Java keystore and key pair

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias server -validity 3650

Generate a Java keystore and key pair and include Distinguished Name as one-liner and the Extensions

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias server -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -storepass secret -keypass secret -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:IP:127.0.0.1

Generate a Java keystore and import a certificate

keytool -importcert -file server.crt -keystore truststore.jks -alias server

Generate a Root CA with signing capability

keytool -v -genkeypair -dname "CN=Root-CA,OU=Certificate Authority,O=Thunderberry,C=NL" -keystore root-ca.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,keyCertSign -ext BasicConstraints=ca:true,PathLen:3

Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -keyalg rsa -keystore keystore.jks -alias server -file server.csr

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -file root-ca.crt -alias my-newly-trusted-ca -keystore keystore.jks

Import the content of a keystore into another keystore

keytool -v -importkeystore -srckeystore source.p12 -srcstoretype PKCS12 -srcstorepass changeit -destkeystore target.p12 -deststoretype PKCS12 -deststorepass changeit

Checking

Check a stand-alone certificate

keytool -v -printcert -file server.crt

Check a stand-alone certificate in PEM format

keytool -v -printcert -file server.crt -rfc

Check which certificates are in a Java keystore

keytool -v -list -keystore keystore.jks

Check a particular keystore entry using an alias

keytool -v -list -keystore keystore.jks -alias server

Other commands

Delete a certificate from a Java keystore

keytool -delete -alias server -keystore keystore.jks

Change a Java keystore password

keytool -storepasswd -keystore keystore.jks

Change the password of a key entry (works only for JKS keystore types)

keytool -keypasswd -alias server -keystore keystore.jks

Signing a certificate with a certificate signing request (CSR)

keytool -v -gencert -infile server.csr -outfile server-signed.cer -keystore root-ca.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth

Converting JKS to PKCS12

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass -destkeystore keystore.p12 -deststoretype PKCS12 password -deststorepass password

Converting PKCS12 to JKS

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass -destkeystore keystore.jks -deststoretype JKS password -deststorepass password

Exporting

Export a certificate to a .crt file in a binary format

keytool -exportcert -keystore keystore.jks -alias server -file server.crt

Export a certificate to a .crt file in a pem format

keytool -exportcert -keystore keystore.jks -alias server -rfc -file server.crt

Export Java keystore to a .p12 file

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
@Hakky54
Copy link
Author

Hakky54 commented Jul 3, 2021

Thank you for your kind words! ❤️

@ricksonmenezes
Copy link

Haky, you can add this
to check server certificates and client certificates
openssl s_client -connect lanzz.org:443:

@Hakky54
Copy link
Author

Hakky54 commented Dec 16, 2022
edited
Loading

Hi @ricksonmenezes thank you for the suggestion, however I discovered out that it can be tricky to use openssl as there are different ways to check the certificates, see here for all of the different ways https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Therefore I decided to built my own application to do this kind of stuff but much simpler, see here GitHub - Certificate Ripper

The command which I am using is:

crip print -u=https://github.com

See here for a demo:
alt text

But if openssl is working for you then there is no need for certificate ripper app.

@anthonyhopp
Copy link

Rookie working with KeyStores and holy cow this is great!!! Major kudos to you!

@jaykhimani
Copy link

Thanks Hakan for nice cheatsheet. Maybe you can also add command to change the keypassword

keytool -keypasswd -alias server -keystore keystore.jks

@Hakky54
Copy link
Author

Hakky54 commented Nov 14, 2024

@jaykhimani Thank you for the suggestion. I have added it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment