Skip to content

Instantly share code, notes, and snippets.

@isweluiz

isweluiz/Keytool.md

Last active June 25, 2021 23:57
Show Gist options
  • Save isweluiz/fd8598291b95766577a8a24716835977 to your computer and use it in GitHub Desktop.
Save isweluiz/fd8598291b95766577a8a24716835977 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Keytool.md

The Most Common Java Keytool Keystore Commands

Introduction

keytool

Java Keytool is a key and certificate management tool that is used to manipulate Java Keystores, and is included with Java. A Java Keystore is a container for authorization certificates or public key certificates, and is often used by Java-based applications for encryption, authentication, and serving over HTTPS. Its entries are protected by a keystore password. A keystore entry is identified by an alias, and it consists of keys and certificates that form a trust chain.

This cheat sheet-style guide provides a quick reference to keytool commands that are commonly useful when working with Java Keystores. This includes creating and modifying Java Keystores so they can be used with your Java applications.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks  -keysize 2048
  • Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
  • Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
  • Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
  • Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

You can read more:

https://www.ibm.com/docs/ja/sdi/7.1.1?topic=tdi-manage-keys-certificates-keystores

https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment