A Simple Guide on Java Keytool Keystore Commands

5 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 5 (5 votes, average: 3.40 out of 5, rated)

Learning to use Java Keytool Keystore – the basics

Java Keytool is management platform for private keys and certificates, providing users with the ability to manage their public/private key pairs and certificates in addition to caching certificates. The keys and certificates are stored in what Java has cleverly named, a “keystore.”

Today we’re going to learn how to command the Java Keytool Keystore. With our minds. And fingers. But mostly our minds. As Caliban said to Prospero in Shakespeare’s The Tempest:

You taught me language, and my profit on’t
Is, I know how to curse. The red plague rid you
For learning me your language!

Honestly, I feel like I remembered this quote a little differently in college, but basically what Caliban is saying is that that the one good thing about learning Prospero’s language is that he can curse at him with it. And that applies to our lesson today because we too will be learning the language of the mighty Java so that we might curse at it. Or at the very least run commands on a keystore during certificate management.

Hey, you try making an article about Java Keytool Commands sound interesting.

Anyway, I’m trying to leave early today so I can head to a furry conv security convention, so let’s get this Java Keystore command guide rolling. Starting with…

What is Java Keytool Keystore

Java Keytool is a platform for managing certificates and keys. It stores these in a keystore, contains all of the private keys and certificates necessary to complete a chain of trust and authenticate a primary certificate.

Each certificate in the keystore has its own alias. When you create a Java keystore you start by creating a .jks file that starts off with only the private key. Afterwards, you generate a CSR and have a certificate issued from it. Then you import the certificate into the keystore along with any associated intermediates or roots. The keytool will also allow you to view certificates, export them or see a list of all the ones you have saved.

Now that you have an idea what we’re going over, let’s start cursing at Java.

Java Keytool Commands for Creating and Importing

First let’s go over the most basic of the basics, how to generate and import keys and certificates.

Generate a Java keystore and keypair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Import a root or intermediate certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Generate a keystore and a self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information contained in a certificate, or Java keystore, here are the commands to use:

Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias

keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

You could see different commands and resource using Java Keytool Documentation.

Java Code Signing Certificates

Thawte Logo
Protec software and it’s digital assests like script, code, and content with Java Code Signing Certificate.