Java Key Tool Reference

java-keytool-reference.md

Java Key Tool Reference

Most Useful Commands

List Key Store Certs

keytool -list \
-keystore example.p12

List Specific Cert

keytool -list \
-v \
-alias example \
-keystore example.p12

Import Cert

keytool -import \
-trustcacerts \
-keystore truststore.jks \
-alias <new-cert> \
-file cert.pem

Delete Cert

keytool -delete \
-alias example \
-keystore example.p12 \
-v

Export Cert

keytool -exportcert \
 -rfc \
 -file cert.pem \
 -keystore example.p12 \
 -alias example

Other Commands

Upgrade Keystore from jks to pkcs12

keytool -importkeystore \
-srckeystore old-jks.jks \
-destkeystore new-pkcs12.p12 \
-deststoretype pkcs12

Generate self-signed cert keystore

keytool -genkeypair \
-alias example \
-keyalg RSA \
-keysize 2048 \
-storetype PKCS12 \
-keystore example.p12 \
-validity 3650

List CA Certs

keytool -list \
-cacerts

List Specific Cert with PEM encoding

keytool -list \
-rfc \
-alias example \
-keystore example.p12

Export cert and key

keytool -importkeystore \
    -srckeystore keystore.jks \
    -destkeystore keystore.p12 \
    -deststoretype PKCS12 \
    -srcalias <jkskeyalias> \
    -deststorepass <password> \
    -destkeypass <password>

openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem

Source: https://security.stackexchange.com/a/66865

Add Cert Chain via keytool

cat cert.pem chain.pem fullchain.pem >all.pem
openssl pkcs12 -export -in all.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -password MYPASSWORD
keytool -importkeystore -deststorepass MYPASSWORD -destkeypass MYPASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass MYPASSWORD -alias tomcat
keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks -storepass MYPASSWORD

Source: https://stackoverflow.com/a/40366230