Java Keytool is a key and certificate
management utility. It allows users to manage their own
public/private key pairs and certificates. It also allows users to cache certificates. Java
Keytool stores the keys and certificates in what is called a keystore. By
default the Java keystore is implemented as a file. It protects private keys
with a password. A Keytool
keystore contains the private key and any certificates necessary to complete a chain of
trust and establish the trustworthiness of the primary certificate.
Each certificate in a Java keystore
is associated with a unique alias. When creating a Java keystore you will first
create the .jks file that will initially only contain the private key. You will
then generate a CSR and have a certificate generated from it. Then you
will import the certificate to the keystore including any root certificates.
Java Keytool also several other functions that allow you to view the details of
a certificate or list the certificates contained in a keystore or export a
certificate.
Note: For easier management of your Java
Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.
Compare SSL Certificates
Below, we have listed the most common Java Keytool
keystore commands and
their usage:
Java
Keytool Commands for Creating and Importing
These commands allow you to generate
a new Java Keytool keystore file, create a CSR, and import certificates. Any
root or intermediate certificates will need to be imported before importing the
primary certificate for your domain.
- Generate
a Java keystore and key pair
keytool
-genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
- Generate
a certificate signing request (CSR) for an existing Java keystore
keytool
-certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
- Import
a root or intermediate CA certificate to an existing Java keystore
keytool
-import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
- Import
a signed primary certificate to an existing Java keystore
keytool
-import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
- Generate
a keystore and self-signed certificate (see How to Create a Self Signed
Certificate using Java Keytool for more info)
keytool
-genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Java
Keytool Commands for Checking:
If you need to check the information
within a certificate, or Java keystore, use these commands.
- Check a
stand-alone certificate
keytool
-printcert -v -file mydomain.crt
- Check
which certificates are in a Java keystore
keytool
-list -v -keystore keystore.jks
- Check a
particular keystore entry using an alias
keytool
-list -v -keystore keystore.jks -alias mydomain
Other
Java Keytool Commands
- Delete
a certificate from a Java Keytool keystore
keytool
-delete -alias mydomain -keystore keystore.jks
- Change
a Java keystore password
keytool
-storepasswd -new new_storepass -keystore keystore.jks
- Export
a certificate from a keystore
keytool
-export -alias mydomain -file mydomain.crt -keystore keystore.jks
- List
Trusted CA Certs
keytool
-list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import
New CA into Trusted Certs
keytool
-import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
No comments:
Post a Comment