Most Popular

• SSL VPN Servers
• SSL Certificate for Mozilla.com Issued Without Validation
• How to Create A Self Signed Certificate
• More Discussion About How Firefox 3 Handles SSL Certificates
• SSL Certificates in Google Chrome

Login:

The Most Common Java Keytool Keystore Commands

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

• Generate a Java keystore and key pair

  keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks

• Generate a certificate signing request (CSR) for an existing Java keystore

  keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

• Import a root or intermediate CA certificate to an existing Java keystore

  keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

• Import a signed primary certificate to an existing Java keystore

  keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

• Generate a keystore and self-signed certificate

  keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

• Check a stand-alone certificate

  keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java keystore

  keytool -list -v -keystore keystore.jks

• Check a particular keystore entry using an alias

  keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

• Delete a certificate from a Java Keytool keystore

  keytool -delete -alias mydomain -keystore keystore.jks

• Change a Java keystore password

  keytool -storepasswd -new new_storepass -keystore keystore.jks

• Export a certificate from a keystore

  keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

• List Trusted CA Certs

  keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

• Import New CA into Trusted Certs

  keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

Digg Slashdot del.icio.us Reddit furl

Showing comments 1 to 10 of 11 | Next | Last

Bharathi
Posts: 6

Need to install certificated
Reply #11 on : Wed May 20, 2009, 08:53:00

---

Can any one list out what are the steps I need to follow to move certificates from one unix server to another. As we are migrating to new server and I need your valuable suggestions to move exisiting certificates to new server.

Robert
Posts: 5

Re: recreate a keystore
Reply #10 on : Tue May 12, 2009, 19:31:31

---

You can normally, use the same keystore on a different server but I don't know if you can do that with iPlanet.

Prasad
Posts: 6

recreate a keystore from .CSR and .CER file
Reply #9 on : Tue May 12, 2009, 10:35:00

---

Thanks a lot Robert.I was googling this for a long time.
But is this not a weird scenario? because i have a certificate for a machine for a application and i cannnot use that for the same machine for different application?

Robert
Posts: 5

Re: recreate a keystore from .CSR and .cer file.
Reply #8 on : Mon May 11, 2009, 20:06:30

---

Hi Prasad,

You also need the private key from the keystore and I don't think there is a way to export that from iPlanet. The easiest thing to do is to create a new CSR and get another certificate keyed (reissue) for Tomcat.

Prasad
Posts: 6

recreate a keystore from .CSR and .cer file.
Reply #7 on : Mon May 11, 2009, 14:58:53

---

Hi,
We have a certificate for IPlanet server i.e running successfully.I want to use same CSR and .cer file used for iplanet server and setup SSL for Tomcat.Is therer anyway to import .CSr and .cer certificate into keystore file.If so what else do i need apart from CSR and.cer file and what is the command for that.
Thanks in Advance.

Robert
Posts: 5

Re: Optional -keystore parameter
Reply #6 on : Fri May 01, 2009, 18:30:48

---

Thanks for pointing that out, devdanke! That's good to know.

devdanke
Posts: 6

Optional -keystore parameter
Reply #5 on : Fri May 01, 2009, 16:03:42

---

Hello,

This comment is in response to Actron's, whose comment said the -keystore parameter was missing.

The -keystore parameter is optional. If you don't provide it, the keytool will use or create a keystore in the default location. By default keystore is located in the user's home directory and is named ".keystore".

Robert
Posts: 5

Re: Edit Comment Keystore missed out
Reply #4 on : Sun April 05, 2009, 07:35:51

---

Thanks, Actron!

I have updated that.

Actron
Posts: 6

Keystore missed out
Reply #3 on : Fri April 03, 2009, 01:49:05

---

In your command to export a certificate from a keystore you missed out the keystore parameter.

keytool -export -alias mydomain -file mydomain.crt

should be

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

Robert
Posts: 5

Re: How to create new keystore with existing selfsigned CSR file
Reply #2 on : Sun November 02, 2008, 09:45:50

---

Hi Ragavendran,

If you lost your keystore file you won't be able to install your certificate to a different one because the private key is now lost. You will need to generate a new keystore and CSR and then have VeriSign reissue/replace your certificate with a new one using the new CSR. You can then install the new certificate to the keystore.

Showing comments 1 to 10 of 11 | Next | Last

Write a comment

Name:
Email: (not published)
Subject:
Comment:

Security Code:
 

Post Comment