Learning to use Java Keytool Keystore – the basics
Java Keytool is management platform for private keys and certificates, providing users with the ability to manage their public/private key pairs and certificates in addition to caching certificates. The keys and certificates are stored in what Java has cleverly named, a “keystore.”
Today we’re going to learn how to command the Java Keytool Keystore. With our minds. And fingers. But mostly our minds. As Caliban said to Prospero in Shakespeare’s The Tempest:
You taught me language, and my profit on’t
Is, I know how to curse. The red plague rid you
For learning me your language!
Honestly, I feel like I remembered this quote a little differently in college, but basically what Caliban is saying is that that the one good thing about learning Prospero’s language is that he can curse at him with it. And that applies to our lesson today because we too will be learning the language of the mighty Java so that we might curse at it. Or at the very least run commands on a keystore during certificate management.
Hey, you try making an article about Java Keytool Commands sound interesting.
Anyway, I’m trying to leave early today so I can head to a furry conv security convention, so let’s get this Java Keystore command guide rolling. Starting with…
What is Java Keytool Keystore
Java Keytool is a platform for managing certificates and keys. It stores these in a keystore, contains all of the private keys and certificates necessary to complete a chain of trust and authenticate a primary certificate.
Each certificate in the keystore has its own alias. When you create a Java keystore you start by creating a .jks file that starts off with only the private key. Afterwards, you generate a CSR and have a certificate issued from it. Then you import the certificate into the keystore along with any associated intermediates or roots. The keytool will also allow you to view certificates, export them or see a list of all the ones you have saved.
Now that you have an idea what we’re going over, let’s start cursing at Java.
Java Keytool Commands for Creating and Importing
First let’s go over the most basic of the basics, how to generate and import keys and certificates.
Generate a Java keystore and keypair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
Import a root or intermediate certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
Generate a keystore and a self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Java Keytool Commands for Checking
If you need to check the information contained in a certificate, or Java keystore, here are the commands to use:
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Other Java Keytool Commands
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
You could see different commands and resource using Java Keytool Documentation.