The Most Common Java Keytool Keystore Commands

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Compare SSL Certificates

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytool for more info)

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias mydomain -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Originally posted on Sun Jul 13, 2008

Comments (48)

  1. Parimal:
    Jul 24, 2014 at 11:15 PM

    i created keystore on temporary location not on actual location, how can i validate wether the keystore i created is correct or not, is there any command to validate keystore which i created at temporary location, once validate, i ll copy that keystore to actual location and will bounce weblogic

  2. Inboots:
    Mar 27, 2014 at 10:42 AM

    If I made a mistake and put my private key in lets say hostname alias and need to move it to an existing alias I have already imported the certificate it relates to. What command would be used? The following command will only move it to a new alias that doesn't already exists. How do i modify the syntax to move it to an existing alias? keytool -changealias -alias "your-very-very-long-alias" -destalias "new-alias" -keypass keypass -keystore /path/to/keystore -storepass storepass

  3. Mye Receipts:
    Mar 07, 2014 at 12:28 PM

    How do you save the -list output to a file so that you can view and send the output to others?

  4. kavya:
    Oct 30, 2013 at 02:21 AM

    i want to export all the certificates in truststore to local path at one time, below command i used for 1 certificate by getting alias name keytool -exportcert -alias aliasname -file /tmp/cert/cer1.cer -keystore path/truststore.jks how can i do to import all at one shot

  5. pratik:
    Jun 20, 2013 at 12:37 AM

    Satish, Did you find resolution for your Query?

  6. Nicolò:
    Apr 13, 2013 at 10:38 AM

    Hello, I'm developing an application which need the user's secret and api keys. I'm currently storing the keys in a configuration file. Can I achieve a better result by using the keystore? Thank you in advance

  7. Sri:
    Mar 13, 2013 at 01:42 PM

    Can anyone please tell me difference between Generate a Java keystore and key pair keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048 and Generate a keystore and self-signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048 both are creating a keystore with self-signed private key in it. I thought it would generate a key pair with 1 private key and 1 public key, but there is no public key in these. Thanks, Sri

  8. sreeni:
    Jan 02, 2013 at 02:32 AM

    I copied .jks file into a c: drive and tried to open that file using keytool -list -v -keystore keystore.jks this command and got like this java.io.IOException: Invalid keystore format

  9. mahesh:
    Oct 18, 2012 at 12:28 AM

    Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate. To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true. at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1874) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63) at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.write(UTF8XmlOutput.java:406) at com.sun.xml.bind.v2.runtime.output.Encoded.write(Encoded.java:163) at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.writeName(UTF8XmlOutput.java:235) at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.beginStartTag(UTF8XmlOutput.java:163) at com.sun.xml.bind.v2.runtime.XMLSerializer.leafElement(XMLSerializer.java:323) at com.sun.xml.bind.v2.model.impl.RuntimeBuiltinLeafInfoImpl$StringImpl.writeLeafElement(RuntimeBuiltinLeafInfoImpl.java:158) at com.sun.xml.bind.v2.runtime.reflect.TransducedAccessor$CompositeTransducedAccessorImpl.writeLeafElement(TransducedAccessor.java:250) at com.sun.xml.bind.v2.runtime.property.SingleElementLeafProperty.serializeBody(SingleElementLeafProperty.java:98) at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:332) at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsSoleContent(XMLSerializer.java:593) at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeRoot(ClassBeanInfoImpl.java:320) at com.sun.xml.bind.v2.runtime.property.ArrayReferenceNodeProperty.serializeListBody(ArrayReferenceNodeProperty.java:114) at com.sun.xml.bind.v2.runtime.property.ArrayERProperty.serializeBody(ArrayERProperty.java:152) at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:332) at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:699) at com.sun.xml.bind.v2.runtime.property.SingleElementNodeProperty.serializeBody(SingleElementNodeProperty.java:152) at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:332) at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:699) at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:152) at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:189) at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeBody(ElementBeanInfoImpl.java:315) at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:322) at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:72) at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsRoot(XMLSerializer.java:494) at com.sun.xml.bind.v2.runtime.MarshallerImpl.write(MarshallerImpl.java:315)

  10. david garvey:
    Oct 17, 2012 at 04:16 PM

    Hey shouldn't this be the cacerts file? Import a root or intermediate CA certificate to an existing Java keystore keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks keytool -import -trustcacerts -alias root -file Thawte.crt -keystore cacerts

  11. Robert:
    Jun 13, 2012 at 04:01 AM

    Good afternoon! Prompt, please. At certificate creation, term of its action turns out 90 days!!! How to change this term? Our actions are lower: We create the container keytool -genkey -keyalg RSA -sigalg MD5withRSA -dname "CN=SKBbank, OU=Soft_development, O=SKBBank, L=Ekaterinburg" -alias psit_ssmd5_unistream_client -validity 3600 -keystore psit_g2_unistream_client.jks -storepass changed 3600 for other figure - however all the same term turns out for 3 months. P.S. Tried on other personal computers, the result doesn't change. All the same 90 days.

  12. Robert:
    May 20, 2012 at 09:24 AM

    when i am trying to generate csr in solaris using windows key file it wont ask me to enter the kye password ,however csr generated ,my concern is will this csr works or not

  13. Robert:
    Feb 28, 2012 at 12:12 PM

    Hi, I have an Apache that would start. The error is saying that the private key file can't be found. Researching the error leads me to think that the private key file can't be opened because its p/w protect. Is there a way to remove the password from the private key OR create a script that will supply Apache with the p/w it needs to open the key file. TIA

  14. Nagaveni:
    Feb 08, 2012 at 10:15 PM

    Hi, I have a .store file where i need to create a certificate for parsign that on a ssl connection for HTTPS, I tried the command "C:\Program Files\Java\jre6\bin\keytool" -genkeypair -alias certificate -keystore UPCC_client.store -storepass my_password -validity 365 -keysize 2048 -storetype pkcs12 I am not sure if i am using a proper command to generate it. i am having an error as below keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, t oo big. Please comment if you could help. Thanks in advance Nagaveni

  15. Rayon:
    Jan 09, 2012 at 04:45 AM

    After changing the storepasswd, in case you get the error: java.io.IOException: Cannot recover key you have to change the keypasswd, too: keytool -keypasswd -keystore keystore.jks -alias Hint: can be figured out with keytool -list -keystore keystore.jks Watch the first field in the line with the "PrivateKeyEntry" keyword, e.g. , Jan 9, 2012, PrivateKeyEntry

  1. 1
  2. 2
  3. 3
  4. 4




Allowed tags: <b><i><br>Add a new comment: