Java keytool command references

Printer-friendly versionPDF version

Here are some commands I just found lying around that I once used when working with SSL enablement for a product. I think they should be useful examples for some one wanting to work with the keytool. So decided to just put these out there simply.

First a quick quotation from Oracle Java what the keyool is and does from their doc page here. ( I have linked to java se 6 docu as I believe that is what I actually used for the example commands ) :

keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.

A certificate is a digitally signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. (See Certificates.) When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

keytool also enables users to administer secret keys used in symmetric encryption/decryption (e.g. DES).

keytool stores the keys and certificates in a keystore.


Here is how to change a password in a keystore:

keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass

Here is how to change the password of the default java store

keytool -storepasswd -new changeit -keystore "C:\Programme\Java\jre1.6.0_01\lib\security\cacerts" -storepass="myNewSecretPass" -v

Here is how to create a new certificate request

keytool -certreq -alias ahsan -file "d:\keytool\newCer.csr" -keystore "d:\keytool\.keystore" -storepass theNewPass -storetype jks

Here is how to delete an alias from a truststore

keytool -delete -alias ahsan -storetype jks -keystore "D:\user-truststore\.truststore" -storepass thePasswordToThisStore -v

Here is how to export the certificate of an alias from the keystore

keytool -export -alias ahsan -file "d:\data\ahsan.cer" -storetype jks -keystore "d:\data\.keystore" -storepass theStorePassword -v

Here is how to generate a key in a keystore

keytool -validity 999 -genkey -keyalg RSA -keypass theKeyPass -sigalg MD5withRSA -keysize 1024 -alias ahsan -keystore "d:\data\.keystore" -storepass theStorePass -storetype jks -dname "CN=Ahsan, OU=Ahsan, O=Ahsan, L=Karlsruhe, S=BW, C=DE" -v

Here is how to import a certificate into the java keystore

keytool -import -alias ahsan -file "D:\my.cer" -keypass theKeyPass -storetype jks -keystore "C:\Programme\Java\jre1.6.0_01\lib\security\cacerts" -storepass changeit -v

Here is how to list the contents of the Java keystores or trust stores

keytool -list -storetype jks -keystore "D:/DummyClientKeyFile.jks " -storepass password -v
keytool -list -storetype jks -keystore "D:/DummyClientTrustFile.jks" -storepass password -v

Here is how to print the certificates from a keystore

keytool -printcert -file "D:\client.cert" -v



Top level category:

Add new comment