The Most Common Java Keytool Keystore Commands

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Compare SSL Certificates

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytool for more info)

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias mydomain -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

 Digg  Reddit

Posted on July 11, 2008
Showing comments 1 to 20 of 47 | Next | Last
Posts: 33
How to move private key from current alias to existing alias?
Reply #47 on : Thu March 27, 2014, 12:42:46
If I made a mistake and put my private key in lets say hostname alias and need to move it to an existing alias I have already imported the certificate it relates to. What command would be used? The following command will only move it to a new alias that doesn't already exists. How do i modify the syntax to move it to an existing alias?

keytool -changealias -alias "your-very-very-long-alias" -destalias "new-alias" -keypass keypass -keystore /path/to/keystore -storepass storepass
Mye Receipts
Posts: 33
-list output too long
Reply #46 on : Fri March 07, 2014, 14:28:45
How do you save the -list output to a file so that you can view and send the output to others?
Posts: 33
command to export all the certificates in truststore at once
Reply #45 on : Wed October 30, 2013, 04:21:27
i want to export all the certificates in truststore to local path at one time,
below command i used for 1 certificate by getting alias name
keytool -exportcert -alias aliasname -file /tmp/cert/cer1.cer -keystore path/truststore.jks

how can i do to import all at one shot
Posts: 33
Renewal of certificates
Reply #44 on : Thu June 20, 2013, 02:37:57

Did you find resolution for your Query?
Posts: 33
Can I store REST api?
Reply #43 on : Sat April 13, 2013, 12:38:16
I'm developing an application which need the user's secret and api keys. I'm currently storing the keys in a configuration file.

Can I achieve a better result by using the keystore?

Thank you in advance
Posts: 33
difference between these 2 commands
Reply #42 on : Wed March 13, 2013, 15:42:48
Can anyone please tell me difference between

Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048


Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

both are creating a keystore with self-signed private key in it. I thought it would generate a key pair with 1 private key and 1 public key, but there is no public key in these.

Posts: 33
Comment Invalid keystore format
Reply #41 on : Wed January 02, 2013, 04:32:28
I copied .jks file into a c: drive and tried to open that file using keytool -list -v -keystore keystore.jks this command and got like this Invalid keystore format
Posts: 33
error help me
Reply #40 on : Thu October 18, 2012, 02:28:24
Caused by: The https URL hostname does not match the Common Name (CN) on the server certificate. To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(
at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.write(
at com.sun.xml.bind.v2.runtime.output.Encoded.write(
at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.writeName(
at com.sun.xml.bind.v2.runtime.output.UTF8XmlOutput.beginStartTag(
at com.sun.xml.bind.v2.runtime.XMLSerializer.leafElement(
at com.sun.xml.bind.v2.model.impl.RuntimeBuiltinLeafInfoImpl$StringImpl.writeLeafElement(
at com.sun.xml.bind.v2.runtime.reflect.TransducedAccessor$CompositeTransducedAccessorImpl.writeLeafElement(
at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(
at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsSoleContent(
at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeRoot(
at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(
at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsXsiType(
at com.sun.xml.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(
at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsXsiType(
at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(
at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(
at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeBody(
at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(
at com.sun.xml.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(
at com.sun.xml.bind.v2.runtime.XMLSerializer.childAsRoot(
at com.sun.xml.bind.v2.runtime.MarshallerImpl.write(
david garvey
Posts: 33
import ca and intermediate ca
Reply #39 on : Wed October 17, 2012, 18:16:49
Hey shouldn't this be the cacerts file?

Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore cacerts
Posts: 1
validity period
Reply #38 on : Wed June 13, 2012, 06:01:46
Good afternoon!

Prompt, please. At certificate creation, term of its action turns out 90 days!!! How to change this term?
Our actions are lower:

We create the container

keytool -genkey -keyalg RSA -sigalg MD5withRSA -dname "CN=SKBbank,
OU=Soft_development, O=SKBBank, L=Ekaterinburg" -alias
psit_ssmd5_unistream_client -validity 3600 -keystore
psit_g2_unistream_client.jks -storepass <?????? ??? ???????????>

changed 3600 for other figure - however all the same term turns out for 3 months.

P.S. Tried on other personal computers, the result doesn't change. All the same 90 days.
Posts: 1
can we generate csr in solaris using windows key fife
Reply #37 on : Sun May 20, 2012, 11:24:00
when i am trying to generate csr in solaris using windows key file it wont ask me to enter the kye password ,however csr generated ,my concern is will this csr works or not
Posts: 1
Apache Web Server won't start
Reply #36 on : Tue February 28, 2012, 14:12:11
Hi, I have an Apache that would start. The error is saying that the private key file can't be found. Researching the error leads me to think that the private key file can't be opened because its p/w protect. Is there a way to remove the password from the private key OR create a script that will supply Apache with the p/w it needs to open the key file. TIA
Posts: 33
creating certificates for .store file
Reply #35 on : Thu February 09, 2012, 00:15:58

I have a .store file where i need to create a certificate for parsign that on a ssl connection for HTTPS, I tried the command
"C:\Program Files\Java\jre6\bin\keytool" -genkeypair -alias certificate -keystore -storepass my_password -validity 365 -keysize 2048 -storetype pkcs12

I am not sure if i am using a proper command to generate it. i am having an error as below
keytool error: DerInputStream.getLength(): lengthTag=109, t
oo big.

Please comment if you could help.

Thanks in advance
Posts: 33
Change a Java keystore password
Reply #34 on : Mon January 09, 2012, 06:45:52
After changing the storepasswd, in case you get the error: Cannot recover key
you have to change the keypasswd, too:

keytool -keypasswd -keystore keystore.jks -alias <mykeyalias>

<mykeyalias> can be figured out with
keytool -list -keystore keystore.jks
Watch the first field in the line with the "PrivateKeyEntry" keyword, e.g.
<mykeyalias>, Jan 9, 2012, PrivateKeyEntry
Posts: 33
New Certficate not recognized
Reply #33 on : Fri December 23, 2011, 01:28:37
I created the keystore and CSR to receive new certificates. I then imported the new certificates, stopped and restarted Tomcat but the new certificate is not being recognized when I start the application. What step(s) am I missing
Posts: 33
Alias on keystore file
Reply #32 on : Wed November 02, 2011, 12:37:07
I tried to import a CA certificate on to my apache tomcat server for https. I didn't realize there were a number of files that needed to be imported. I imported only the root into my keystore file now when i try to import anymore i get an error "Alias" already used. Once i realized the issue i crated all three files into a .pb7 but i can't import into the keystore.

How do i remove what i did from the alias name and apply the correct file to the keystore. Anyhelp will be greatly appreciated.
Posts: 33
Re: The Most Common Java Keytool Keystore Commands
Reply #31 on : Sun June 26, 2011, 06:01:31
hello everyone, i am doing a project for mobile payments using ecc algorithm , i need to generate keypairs using ecc algorithm, so can anyone help me how to generate them using keytool...please i need an answer as soon as possible, thnks in advance..:)
Daniel Reynolds
Posts: 33
Cannot enter a password
Reply #30 on : Sat June 18, 2011, 16:51:24
I'm trying to generate a key and entered the commands right. It asked me first name, last name, organization then when it asked for a password it wouldn't let me enter anything. What am I doing wrong?
krishnan voorappan
Posts: 33
CA certificate import into Java keystore is not workin in tomcat
Reply #29 on : Wed June 15, 2011, 12:16:55

I have CA certifcate for the https Web service URL which are tryign to access. Initially i have tried importing it to cacerts file under $JAVA_HOME\jre\lib\secuirty folder in my local exclipse whre my using the java application to invoke the web service and it was woreking. Where is If i deploy the appllication in Tomcat and dueing runtime i am not able to invoke the web service URL even though i have imported the same CA certificate in my tomcat server. I am getting following error.

Exception in addCardRequest Method : PKIX path building failed: unable to find valid certification path to requested target PKIX path building failed: unable to find valid certification path to requested target
at Source)
at Source)
at Source)

could please help me what is the best way to work in tomcat server.
Posts: 33
Should we regenerate the keystore if certificate renew
Reply #28 on : Wed May 25, 2011, 16:06:30
My production server has SSL certificate . We created keystore file from that certificate to access the service from other programs.
The certificate will be expired in the next week. We are going to renew the certificate.

Here my question is ..
Should we recreate the keystore file after renew the certificate..?
I appreciate your help. Thanks.
Showing comments 1 to 20 of 47 | Next | Last

Write a comment

If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
Post Comment