Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

The Most Common Java Keytool Keystore Commands

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Compare SSL Certificates

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytool for more info)

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias mydomain -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Digg del.icio.us Reddit

Posted on July 11, 2008
Showing comments 1 to 20 of 34 | Next | Last
Rayon
Posts: 22
Comment
Change a Java keystore password
Reply #34 on : Mon January 09, 2012, 05:45:52
After changing the storepasswd, in case you get the error:
java.io.IOException: Cannot recover key
you have to change the keypasswd, too:

keytool -keypasswd -keystore keystore.jks -alias <mykeyalias>

Hint:
<mykeyalias> can be figured out with
keytool -list -keystore keystore.jks
Watch the first field in the line with the "PrivateKeyEntry" keyword, e.g.
<mykeyalias>, Jan 9, 2012, PrivateKeyEntry
MarkM
Posts: 22
Comment
New Certficate not recognized
Reply #33 on : Fri December 23, 2011, 00:28:37
I created the keystore and CSR to receive new certificates. I then imported the new certificates, stopped and restarted Tomcat but the new certificate is not being recognized when I start the application. What step(s) am I missing
Trabytrav
Posts: 22
Comment
Alias on keystore file
Reply #32 on : Wed November 02, 2011, 11:37:07
I tried to import a CA certificate on to my apache tomcat server for https. I didn't realize there were a number of files that needed to be imported. I imported only the root into my keystore file now when i try to import anymore i get an error "Alias" already used. Once i realized the issue i crated all three files into a .pb7 but i can't import into the keystore.

How do i remove what i did from the alias name and apply the correct file to the keystore. Anyhelp will be greatly appreciated.
ram
Posts: 22
Comment
Re: The Most Common Java Keytool Keystore Commands
Reply #31 on : Sun June 26, 2011, 05:01:31
hello everyone, i am doing a project for mobile payments using ecc algorithm , i need to generate keypairs using ecc algorithm, so can anyone help me how to generate them using keytool...please i need an answer as soon as possible, thnks in advance..:)
Daniel Reynolds
Posts: 22
Comment
Cannot enter a password
Reply #30 on : Sat June 18, 2011, 15:51:24
I'm trying to generate a key and entered the commands right. It asked me first name, last name, organization then when it asked for a password it wouldn't let me enter anything. What am I doing wrong?
krishnan voorappan
Posts: 22
Comment
CA certificate import into Java keystore is not workin in tomcat
Reply #29 on : Wed June 15, 2011, 11:16:55
Hi,

I have CA certifcate for the https Web service URL which are tryign to access. Initially i have tried importing it to cacerts file under $JAVA_HOME\jre\lib\secuirty folder in my local exclipse whre my using the java application to invoke the web service and it was woreking. Where is If i deploy the appllication in Tomcat and dueing runtime i am not able to invoke the web service URL even though i have imported the same CA certificate in my tomcat server. I am getting following error.

Exception in addCardRequest Method : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

could please help me what is the best way to work in tomcat server.
Satish
Posts: 22
Comment
Should we regenerate the keystore if certificate renew
Reply #28 on : Wed May 25, 2011, 15:06:30
My production server has SSL certificate . We created keystore file from that certificate to access the service from other programs.
The certificate will be expired in the next week. We are going to renew the certificate.

Here my question is ..
Should we recreate the keystore file after renew the certificate..?
I appreciate your help. Thanks.
Gunjan Mukherjee
Posts: 22
Comment
keystore password
Reply #27 on : Wed March 02, 2011, 00:11:40
Hi All,
I have keystore in my server.But i neeed to know its password.Can you pleae suggest how to see the password of the particulat kestore.
The private key of that keystore?
Please help
Amer
Posts: 22
Comment
Re: The Most Common Java Keytool Keystore Commands
Reply #26 on : Mon January 31, 2011, 14:39:16
Hi,

I export certificate from ma faculty website (etf.unsa.ba)
from firefox. I import it certificate in Tomcat and import
it from keystore to me keystore. That certificate is in
Me key store, but still when I try to access
https://c2.etf.unsa.ba it shows me: Certificate expired
exception.

What is problem?
Robert
Posts: 10
Comment
Re: copying private key to multiple servers
Reply #25 on : Mon October 25, 2010, 09:08:11
Hi Rick,

If both servers are using Tomcat, you can just copy the keystore file (.jks or .key) to the other server and configure it the same way. If it is a different server type, you'll need to either create a new CSR on the new server and reissue the certificate with GoDaddy or try to export the key using these instructions: http://www.sslshopper.com/article-move-your-java-keytool-ssl-certificate-to-openssl.html
rickw
Posts: 1
Comment
copying private key to multiple servers
Reply #24 on : Sun October 24, 2010, 12:30:28
I purchased a wildcard ssl cert from GoDaddy and need to use the cert for two subdomains that exist on two different servers. They said it can be done but that they will not support that thru their customer support. They did tell me to do some google searches on "tomcat export private key, pfx file, and that i may need some online converter. Can anyone offer any suggestions on where I can find this info or how to go about doing it? I got the wildcard ssl cert working on server 1 and now need to get it working on server 2. I'm running Redhat ES 5.5 with Tomcat 5.5.23.

Thank You,

Rick
raj
Posts: 22
Comment
Importing a .pem into keystore.jks
Reply #23 on : Wed September 22, 2010, 01:46:25
I need a keytool command which imports an existing private key(.pem) into the keystore.jks.

I tried
"keytool -import -trustcacerts -file mypem.pem -alias CA_ALIAS -keystore keystore.jks"
but it gave me the following error
"keytool error: java.lang.Exception: Input not an X.509 certificate"
Can anybody help??

Thanks in advance.
Raj
Robert
Posts: 10
Comment
Re: keyfile from keytool command
Reply #22 on : Wed September 15, 2010, 18:40:36
Hi Swami,

The first command you pasted would have generated a keystore file name "my_keystore". The private key is inside that file.
Swami
Posts: 22
Comment
keyfile from keytool command
Reply #21 on : Wed September 15, 2010, 07:23:23
Hi,
I create a csr file using the following two commands
1. Create a certificate keystore and private key by executing the following command:

keytool -genkey -alias my_alias -keyalg RSA -keystore my_keystore

2. Generate a CSR

The CSR is then created using the following command:

keytool -certreq -keyalg RSA -alias my_alias -file certreq.csr -keystore my_keystore

Whether private key file will be generated from the above commands? If yes any idea where it will store the file.
When i ran this command there was no separate keyfile generated in the location where i created the .csr file
Swami
Posts: 22
Comment
privatkey location
Reply #20 on : Wed September 15, 2010, 07:17:24
Thanks Robert for your feedback.
I need one more clarification. From where should the .csr file be generated. Can i create a .csr file from my development environment and register the certificate into tomcat server. Will that work?
Robert
Posts: 10
Comment
Re: convert .p7b to .p12
Reply #19 on : Tue September 14, 2010, 07:55:52
Hi Swami,

There is no way to convert a p7b file to a pfx or jks without the private key. You will need to generate a new private key and certificate. If you do have the private key, you can convert it at https://www.sslshopper.com/ssl-converter.html
Swami
Posts: 22
Comment
convert .p7b to .p12
Reply #18 on : Tue September 14, 2010, 04:41:49
Is there a way to convert .p7b file to .p12/.pfx/.jks file. I dont have a private key. The .p7b was created was somebody else and sent to us.
Hemanth Kumar
Posts: 22
Comment
certificate alternative e-mails in keystore
Reply #17 on : Wed September 01, 2010, 03:48:21
I have generated a keystore and forgot to include few e-mail Ids to whom it should be notified at the time of expiry of the cert. Please suggest me a way to include those email ids now.
Robert
Posts: 10
Comment
Re: View Private Key
Reply #16 on : Sat August 21, 2010, 10:40:18
Hi Buhlz_I,

You should be able to view all the certificates in the keystore (including which ones have a private key) by running this command:

keytool -list -v -keystore keystore.jks
Buhlz_I
Posts: 22
Comment
View private key
Reply #15 on : Thu August 19, 2010, 18:49:53
Can the keytool command be used to view or list private keys in the keystore? If so, how?
Showing comments 1 to 20 of 34 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment