Common Java Keytool Commands
Keytool is a certificate management utility included with Java. It
allows users to create a single store, called a keystore, that
can hold multiple certificates within it. This file can then be
assigned or installed to a server and used for SSL/TLS connections.
Java Keystore files associate each certificate with a unique
alias. Think of a keystore file like a lunch box. A lunch box,
although thought of as single item, a 'box', can contain multiple
items inside of it that server different functions. Although it comprises
of several components, what you end up taking to work is the entire
Alias = Sandwich
Alias = Drink
Alias = Snack
If you apply this logic to a keystore file, your 'lunchbox' is the
keystore.jks file. The 'sandwich', 'drink' and 'snack' are all
different certificates (held within Aliases) that make up the
Alias = Root
Alias = Intermediate
Alias = Server
Keystore files can have a file extension of *.jks or *.keystore.
*.jks is more commonly used. This file type is used on a number of
servers; typically servers that use Java.
Creating a Keystore File
This section will take you through the most basic way to get your SSL
certificate installed using Keytool.
Note: Data in the command line within [ ] need to be
replaced with information specific to your installation and situation (also
ensuring that you replace the [ ]). A example would be
[Common Name].jks would need to be replaced to
myserver.local.jks (or whatever your Common Name may be).
First, you will need to create a new keystore file (called
[Common Name].jks) with a private key:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore
[Common Name].jks -dname "CN=[Common Name], OU=[organisationunit],
O=[organisation], L=[town/city], ST=[state/province], C=[GB]
Note: Ensure that you take note of the alias in this
command. The one we use above is "server". In the final step, you must
install your certificate on top of this alias name. If you decided to
change the alias name from the one used above, then you will need to
ensure you make the same change going forward.
Next, you are going to create a CSR from this private key and
keytool -certreq -alias server -file [Common Name].csr -keystore
Give this [Common Name].csr file to TrustLink to request a certificate.
In the meantime while you are waiting for a certificate, you can install
the root and intermediate files.
Install the Root certificate into an alias called
keytool -import -alias Root -trustcacerts -file [qvrca2].cer
-keystore [Common Name].jks
Install the Intermediate certificate into an alias called
Intermediate (or Int for short):
keytool -import -alias Intermediate -trustcacerts -file
[evsslicag2].cer -keystore [Common Name].jks
Once you have received your certificate file back from QuoVadis, you can
install it into the Keystore.
Install the certificate into your keystore:
keytool -import -alias server -file [My Certificate].crt -keystore
You should now be able to take your JKS file and install it into the
application or server that you are using.
Listing a Keystore File
Another useful command to know is to list out the contents of a keystore
file. If something doesn't quite work right or you may have made a mistake
in your commands, a list command can help you troubleshoot where you may
have went wrong. This command can be run by:
keytool -list -v -keystore [keystore].jks
Java comes with a predefined list of trusted certificates which is
stored in the cacerts keystore. QuoVadis has been trusted in this list as
of JRE v6 Update15 (or JDK 1.6.0_15). You can list the contents of
your cacerts keystore with the following command:
keytool –list –v –keystore $JAVA_HOME/jre/lib/security/cacerts
If you need to add a Root certificate to this file so that Java can
trust it, you can run the following command:
keytool –import –trustcacerts –file [path\to\ca.crt] –alias [alias]
Note: For these commands, the path may be different
depending on where Java is installed.
Deleting an Alias
If you have messed something up within your keystore, all is not lost.
You can delete an alias (and any certificates within that alias) with the
keytool -delete -alias [alias] -keystore [keystore].jks
Changing a Java Keystore Password
This command will let you change the password to a Java Keystore file
(you will need the original password):
keytool -storepasswd -new [NewPassword] -keystore [keystore].jks
Exporting a Certificate From a Keystore
Use this command to export a certificate from an alias within a keystore
keytool -export -alias [alias] -file [filename].crt -keystore
Exporting a PKCS#12 (*.p12 or *.pfx) file from a Keystore
You are able to export a PKCS#12 file from a Keystore. This can be
helpful if you are migrating from a Java based server where a Keystore is
needed to another server type (such as Windows) without the need to
generate a new certificate. You will need a full keystore (with private key
and public key) in order to do this:
keytool -importkeystore -srckeystore [keystore].jks -destkeystore
[filename].p12 -deststoretype PKCS12