Java Keytool Commands

Keytool is a tool used by Java systems to configure and manipulate Keystores. The following are a list of  commands that allow you to generate a new Java  keystore file, create a CSR, import certificates, convert, and check keystores.

The Italic parts in the conversions below are examples of you own files, or your own unique naming conventions. Keep track of all your files, alias’s, and passwords.


Generating:

  • Generate a Java keystore and key pair:
    • keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
  • Generate a certificate signing request (CSR) for an existing Java keystore: 
    • keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Generate a keystore and self-signed certificate:
    • keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Importing:

  • Import a intermediate CA certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore.jks
  • Import a root CA certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias root -file root.crt -keystore keystore.jks
  • Import a signed SSL primary certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Java Keytool Commands for Conversion:

If you need to change the type of keystore.

  • PFX keystore to JKS keystore:
    • keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS
  • JKS keystore to PFX keystore:
    • keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx

Java Keytool Commands for Checking:

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate:
    • keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore:
    • keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias:
    • keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands:

  • Delete a certificate from a Java Keytool keystore:
    • keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password:
    • keytool -storepasswd -new newstorepass -keystore keystore.jks
  • Export a certificate from a keystore:
    • keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs:
    • keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs:
    • keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to convert your keystore from one environment to another such as… A tomcat system that uses keystores .jks and move it over to a Apache system or IIS system it is usually easier to just generate a new CSR keypair from those respective systems and perform a reissue of the certificate. Although there is a way to convert by using OpenSSL or use a conversion application such as Portecle.

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »