Related

Jul 02, 2019  Generate self-signed PKCS#12 SSL certificate and export its keys using Java keytool and openssl. ssl-certs.md. MYPASSWORD = password used for the keystore and the private key as well. CN = commonName. Dec 31, 2018 Create a keystore using Keytool: While we create a Java keystore we will first create the.jks file that will initially only contain the private key using keytool utility. Keytool -genkey -keystore keystore.jks -alias ssl -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048-alias is an option to mention an Alias Name to your key entry. Complete the following steps to create your CSR. Before you can create your CSR, you need to create your Java keystore. Your Java keystore contains your private key. Run the following command to create your 2048 bit Java keystore: keytool -genkey -alias myalias -keyalg RSA –keysize 2048 -keystore c: yoursite.keystore 2. Invoking keytool to generate a public-private key pair. Here is an example of invoking keytool to create a public-private key pair. (In the example below the parameters are written on multiple lines for the purpose of clarity. When you invoke keytool, you must type the program name and its parameters all on one line.). Just fill in the details, click Generate, and paste your customized keytool command into your terminal. If you prefer to roll your own keytool commands to generate your CSR, just follow our old instructions below: Create a New Keystore. You will be using the keytool command to create your new key-CSR pairing.

Introduction

Java Keytool is a key and certificate management tool that is used to manipulate Java Keystores, and is included with Java. A Java Keystore is a container for authorization certificates or public key certificates, and is often used by Java-based applications for encryption, authentication, and serving over HTTPS. Its entries are protected by a keystore password. A keystore entry is identified by an alias, and it consists of keys and certificates that form a trust chain.

This cheat sheet-style guide provides a quick reference to keytool commands that are commonly useful when working with Java Keystores. This includes creating and modifying Java Keystores so they can be used with your Java applications.

How to Use This Guide:

• If you are not familiar with certificate signing requests (CSRs), read the CSR section of our OpenSSL cheat sheet
• This guide is in a simple, cheat sheet format–self-contained command line snippets
• Jump to any section that is relevant to the task you are trying to complete (Hint: use the Contents menu on the bottom-left or your browser’s Find function)
• Most of the commands are one-liners that have been expanded to multiple lines (using the symbol) for clarity

Creating and Importing Keystore Entries

This section covers Java Keytool commands that are related to generating key pairs and certificates, and importing certificates.

Generate Private Key Using Keytool

Generate Keys in New/Existing Keystore

Use this method if you want to use HTTP (HTTP over TLS) to secure your Java application. This will create a new key pair in a new or existing Java Keystore, which can be used to create a CSR, and obtain an SSL certificate from a Certificate Authority.

This command generates a 2048-bit RSA key pair, under the specified alias (domain), in the specified keystore file (keystore.jks):

If the specified keystore does not already exist, it will be created after the requested information is supplied. This will prompt for the keystore password (new or existing), followed by a Distinguished Name prompt (for the private key), then the desired private key password.

Generate CSR For Existing Private Key

Use this method if you want to generate an CSR that you can send to a CA to request the issuance of a CA-signed SSL certificate. It requires that the keystore and alias already exist; you can use the previous command to ensure this.

This command creates a CSR (domain.csr) signed by the private key identified by the alias (domain) in the (keystore.jks) keystore:

After entering the keystore’s password, the CSR will be generated.

Import Signed/Root/Intermediate Certificate

Use this method if you want to import a signed certificate, e.g. a certificate signed by a CA, into your keystore; it must match the private key that exists in the specified alias. You may also use this same command to import root or intermediate certificates that your CA may require to complete a chain of trust. Simply specify a unique alias, such as root instead of domain, and the certificate that you want to import.

This command imports the certificate (domain.crt) into the keystore (keystore.jks), under the specified alias (domain). If you are importing a signed certificate, it must correspond to the private key in the specified alias:

You will be prompted for the keystore password, then for a confirmation of the import action.

Note: You may also use the command to import a CA’s certificates into your Java truststore, which is typically located in $JAVA_HOME/jre/lib/security/cacerts assuming $JAVA_HOME is where your JRE or JDK is installed.

Generate Self-Signed Certificate in New/Existing Keystore

Use this command if you want to generate a self-signed certificate for your Java applications. This is actually the same command that is used to create a new key pair, but with the validity lifetime specified in days.

This command generates a 2048-bit RSA key pair, valid for 365 days, under the specified alias (domain), in the specified keystore file (keystore.jks):

If the specified keystore does not already exist, it will be created after the requested information is supplied. This will prompt for the keystore password (new or existing), followed by a Distinguished Name prompt (for the private key), then the desired private key password.

Viewing Keystore Entries

This section covers listing the contents of a Java Keystore, such as viewing certificate information or exporting certificates.

List Keystore Certificate Fingerprints

This command lists the SHA fingerprints of all of the certificates in the keystore (keystore.jks), under their respective aliases:

You will be prompted for the keystore’s password. You may also restrict the output to a specific alias by using the -alias domain option, where “domain” is the alias name.

List Verbose Keystore Contents

This command lists verbose information about the entries a keystore (keystore.jks) contains, including certificate chain length, fingerprint of certificates in the chain, distinguished names, serial number, and creation/expiration date, under their respective aliases:

You will be prompted for the keystore’s password. You may also restrict the output to a specific alias by using the -alias domain option, where “domain” is the alias name.

Note: You may also use this command to view which certificates are in your Java truststore, which is typically located in $JAVA_HOME/jre/lib/security/cacerts assuming $JAVA_HOME is where your JRE or JDK is installed.

Use Keytool to View Certificate Information

This command prints verbose information about a certificate file (certificate.crt), including its fingerprints, distinguished name of owner and issuer, and the time period of its validity:

Keytool Java Download

You will be prompted for the keystore password.

Export Certificate

This command exports a binary DER-encoded certificate (domain.der), that is associated with the alias (domain), in the keystore (keystore.jks):

You will be prompted for the keystore password. If you want to convert the DER-encoded certificate to PEM-encoding, follow our OpenSSL cheat sheet.

Modifying Keystore

This section covers the modification of Java Keystore entries, such as deleting or renaming aliases.

Change Keystore Password

This command is used to change the password of a keystore (keystore.jks):

You will be prompted for the current password, then the new password. You may also specify the new password in the command by using the -new newpass option, where “newpass” is the password.

Delete Alias

This command is used to delete an alias (domain) in a keystore (keystore.jks):

You will be prompted for the keystore password.

Rename Alias

This command will rename the alias (domain) to the destination alias (newdomain) in the keystore (keystore.jks):

You will be prompted for the keystore password.

Conclusion

That should cover how most people use Java Keytool to manipulate their Java Keystores. It has many other uses that were not covered here, so feel free to ask or suggest other uses in the comments.

This tutorial is based on the version of keystore that ships with Java 1.7.0 update 65. For help installing Java on Ubuntu, follow this guide.

The Java Keytool is a command line tool which can generate public key / private key pairs and store them in a Java KeyStore. The Keytool executable is distributed with the Java SDK (or JRE), so if you have an SDK installed you will also have the Keytool executable.

The Keytool executable is called keytool. To execute it, open a command line (cmd, console, shell etc.). and change directory into the bin directory of your Java SDK installation. Type keytool followed by pressing the Enter key. You should see something similar to this:

As you can see, keytool supports a set of commands to work with keys, certificates and key stores. This Java Keytool tutorial will cover the most commonly used of these commands.

Keytool Scripts

Keytool commands take a lot of arguments which may be hard to remember to set correctly. Therefore it is a good idea to create some Keytool CMD or Shell scripts with the Keytool commands in. The scripts makes it easier to re-execute the keytool commands later on, and makes it possible to go back later and see how a KeyStore was generated.

Generate Key Pair

Generating a public key / private key pair is one of the most common tasks to use the Java Keytool for. The generated key pair is inserted into a Java KeyStore file as a self signed key pair. Here is the general command line format for generating a key pair with the Keytool:

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. The Keytool will tell you if you are missing a required argument.

The line breaks should not be included in the final command. The line breaks are only there to make the command format easier to read here.

Here is an example keytool -genkeypair command. Remember to remove the line breaks before trying it out!

Export Certificate

The Java Keytool can also export certificates stored in a KeyStore. Here is how the Keytool command looks for exporting certificates:

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. First direct generate digital secure key. The Keytool will tell you if you are missing a required argument.

Java Keytool Private Key

Here is a Keytool command example that exports the certificate for a key pair. Remember to remove the line breaks when entering the command on the command line.

Import Certificate

The Java Keytool can also import certificates into a KeyStore. Here is how the Keytool command looks for importing certificates:

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. The Keytool will tell you if you are missing a required argument.

Here is an example Keytool command that imports a certificate into a KeyStore. Remember to remove the line breaks when entering the command on the command line.

List KeyStore Entries

To list the entries in a Java KeyStore you can use the Keytool -list command. Here is the format for the Keytool -list command. The line breaks are only here to make the command format easier to read. Remove the line breaks before running the command.

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. The Keytool will tell you if you are missing a required argument.

Here is a Keytool -list command example. Remember to remove the line breaks!

This Keytool -list command will list all entries in the given KeyStore. The output of running this Keytool -list command will look similar to this: Mad max cd key generator.

If you include an -alias argument in the Keytool -list command, then only the entry matching the given alias will get listed. Here is an example Keytool -list command with an -alias argument:

The output of running the above Keytool -list command will look similar to this:

Delete KeyStore Entry

The Keytool has a command that can delete a key entry in a Java KeyStore. The Keytool command for deleting keys is -delete. Here is the format of the Keytool -delete command:

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. The Keytool will tell you if you are missing a required argument.

Here is a Keytool -delete command example. Remember to remove the line breaks before running it!

This Keytool -delete command will remove the KeyStore entry with the alias testkey from the KeyStore stored in the file keystore.jks .

Generate a Certificate Request

The Java Keytool can generate a certificate request using the -certreq command. A certificate request is a request for a certificate authority (CA) to create a public certificate for your organization. Once generated, the certificate request should be sent to the CA you want to create a certificate for you (e.g. Verisign, Thawte, or some other CA).

Before you can generate a certificate request for a private key, public key pair, you must have generated that private key, public key pair into the Keystore (or imported it). See elsewhere in this Java Keytool tutorial to see how to do that.

Here is the command format for generating a certificate request. Remember to remove all line breaks when trying out this command:

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed. Many are optional. The Keytool will tell you if you are missing a required argument.

Here is a Java Keytool -certreq command example:

This command will generate a certificate request for the key stored with alias testkey in the keystore file keystore.jks, and write the certificate request into the file named certreq.certreq .

Remember, the line breaks are only included to make the command easier to read. Omit them when typing in the command on the command line yourself.

Keytool Arguments

Below is a list of the arguments the various Keytool commands take. Please keep in mind that not all commands accept all of these arguments. Look at the concrete command to see what arguments it takes.