Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

The Most Common Java Keytool Keystore Commands

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias mydomain -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Digg Slashdot del.icio.us Reddit furl

Posted on July 11, 2008
Hemanth Kumar
Posts: 9
Comment
certificate alternative e-mails in keystore
Reply #17 on : Wed September 01, 2010, 03:48:21
I have generated a keystore and forgot to include few e-mail Ids to whom it should be notified at the time of expiry of the cert. Please suggest me a way to include those email ids now.
Robert
Posts: 7
Comment
Re: View Private Key
Reply #16 on : Sat August 21, 2010, 10:40:18
Hi Buhlz_I,

You should be able to view all the certificates in the keystore (including which ones have a private key) by running this command:

keytool -list -v -keystore keystore.jks
Buhlz_I
Posts: 9
Comment
View private key
Reply #15 on : Thu August 19, 2010, 18:49:53
Can the keytool command be used to view or list private keys in the keystore? If so, how?
Roxanne
Posts: 9
Comment
changing the keystore password
Reply #14 on : Mon August 09, 2010, 15:25:03
The command for changing the keystore passwod elicits errors. I recommend using this:

keytool -storepasswd -keystore <keystore_name>

You will then be prompted to provide the current and new passwords.
Robert
Posts: 7
Comment
Re: The Most Common Java Keytool Keystore Commands
Reply #13 on : Thu February 18, 2010, 07:36:06
Hi Anna,

You just need to specify the relative or absolute path to the keystore. For example, you could use

keytool -import -trustcacerts -alias mydomain -file ..\mydomain.crt -keystore ..\keystore.jks

if the crt and keystore are one directory back from the keytool or

keytool -import -trustcacerts -alias mydomain -file c:\Users\UserName\Documents\mydomain.crt -keystore c:\Users\UserName\Documents\keystore.jks

if they are in your Documents folder.
anna
Posts: 1
Comment
Re: The Most Common Java Keytool Keystore Commands
Reply #12 on : Thu February 18, 2010, 03:09:19
how should i type (/ or \) my keystore path if keystore file is on another dir than my keytool?
Bharathi
Posts: 9
Comment
Need to install certificated
Reply #11 on : Wed May 20, 2009, 08:53:00
Can any one list out what are the steps I need to follow to move certificates from one unix server to another. As we are migrating to new server and I need your valuable suggestions to move exisiting certificates to new server.
Robert
Posts: 7
Comment
Re: recreate a keystore
Reply #10 on : Tue May 12, 2009, 19:31:31
You can normally, use the same keystore on a different server but I don't know if you can do that with iPlanet.
Prasad
Posts: 9
Comment
recreate a keystore from .CSR and .CER file
Reply #9 on : Tue May 12, 2009, 10:35:00
Thanks a lot Robert.I was googling this for a long time.
But is this not a weird scenario? because i have a certificate for a machine for a application and i cannnot use that for the same machine for different application?
Robert
Posts: 7
Comment
Re: recreate a keystore from .CSR and .cer file.
Reply #8 on : Mon May 11, 2009, 20:06:30
Hi Prasad,

You also need the private key from the keystore and I don't think there is a way to export that from iPlanet. The easiest thing to do is to create a new CSR and get another certificate keyed (reissue) for Tomcat.
Prasad
Posts: 9
Comment
recreate a keystore from .CSR and .cer file.
Reply #7 on : Mon May 11, 2009, 14:58:53
Hi,
We have a certificate for IPlanet server i.e running successfully.I want to use same CSR and .cer file used for iplanet server and setup SSL for Tomcat.Is therer anyway to import .CSr and .cer certificate into keystore file.If so what else do i need apart from CSR and.cer file and what is the command for that.
Thanks in Advance.
Robert
Posts: 7
Comment
Re: Optional -keystore parameter
Reply #6 on : Fri May 01, 2009, 18:30:48
Thanks for pointing that out, devdanke! That's good to know.
devdanke
Posts: 9
Comment
Optional -keystore parameter
Reply #5 on : Fri May 01, 2009, 16:03:42
Hello,

This comment is in response to Actron's, whose comment said the -keystore parameter was missing.

The -keystore parameter is optional. If you don't provide it, the keytool will use or create a keystore in the default location. By default keystore is located in the user's home directory and is named ".keystore".
Robert
Posts: 7
Comment
Re: Edit Comment Keystore missed out
Reply #4 on : Sun April 05, 2009, 07:35:51
Thanks, Actron!

I have updated that.
Actron
Posts: 9
Comment
Keystore missed out
Reply #3 on : Fri April 03, 2009, 01:49:05
In your command to export a certificate from a keystore you missed out the keystore parameter.

keytool -export -alias mydomain -file mydomain.crt

should be

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
Robert
Posts: 7
Comment
Re: How to create new keystore with existing selfsigned CSR file
Reply #2 on : Sun November 02, 2008, 09:45:50
Hi Ragavendran,

If you lost your keystore file you won't be able to install your certificate to a different one because the private key is now lost. You will need to generate a new keystore and CSR and then have VeriSign reissue/replace your certificate with a new one using the new CSR. You can then install the new certificate to the keystore.
ragavendran
Posts: 9
Comment
How to create new keystore with existing selfsigned CSR file
Reply #1 on : Fri October 31, 2008, 04:53:11
Hi,

I lost my keystore file, But I need to import my CRT file that was given by VERSIGN. If I tried to import that crt it thrown an error "". So is there any possiblity to create keystore with Self signed CSR.

I have all the information (when creating keystore )
selfsigned csr and crt file (given by versign) and alias name

Please answer imm its urgent. From this information is possible to create keystore.

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment