Common Java Keytool Commands

Common Java Keytool Commands


Keytool is a certificate management utility included with Java.  It allows users to create a single store, called a keystore, that can hold multiple certificates within it.  This file can then be assigned or installed to a server and used for SSL/TLS connections.

Java Keystore files associate each certificate with a unique alias.  Think of a keystore file like a lunch box. A lunch box, although thought of as single item, a 'box', can contain multiple items inside of it that server different functions. Although it comprises of several components, what you end up taking to work is the entire lunchbox:

My Lunchbox

Alias = Sandwich Alias = Drink Alias = Snack

If you apply this logic to a keystore file, your 'lunchbox' is the keystore.jks file. The 'sandwich', 'drink' and 'snack' are all different certificates (held within Aliases) that make up the entire file.

QuoVadis Root Certificate QuoVadis Intermediate Certificate Your Certificate
Alias = Root Alias = Intermediate Alias = Server

Keystore files can have a file extension of *.jks or *.keystore.  *.jks is more commonly used.  This file type is used on a number of servers; typically servers that use Java.

Creating a Keystore File

This section will take you through the most basic way to get your SSL certificate installed using Keytool.

Note: Data in the command line within [ ] need to be replaced with information specific to your installation and situation (also ensuring that you replace the [ ]). A example would be -keystore [Common Name].jks would need to be replaced to -keystore myserver.local.jks (or whatever your Common Name may be).

First, you will need to create a new keystore file (called [Common Name].jks) with a private key:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore [Common Name].jks -dname "CN=[Common Name], OU=[organisationunit], O=[organisation], L=[town/city], ST=[state/province], C=[GB]

Note: Ensure that you take note of the alias in this command.  The one we use above is "server". In the final step, you must install your certificate on top of this alias name. If you decided to change the alias name from the one used above, then you will need to ensure you make the same change going forward.

Next, you are going to create a CSR from this private key and keystore:

keytool -certreq -alias server -file [Common Name].csr -keystore [Common Name].jks

Give this [Common Name].csr file to TrustLink to request a certificate. In the meantime while you are waiting for a certificate, you can install the root and intermediate files.

Install the Root certificate into an alias called Root:

keytool -import -alias Root -trustcacerts -file [qvrca2].cer -keystore [Common Name].jks

Install the Intermediate certificate into an alias called Intermediate (or Int for short):

keytool -import -alias Intermediate -trustcacerts -file [evsslicag2].cer -keystore [Common Name].jks

Once you have received your certificate file back from QuoVadis, you can install it into the Keystore.

Install the certificate into your keystore:

keytool -import -alias server -file [My Certificate].crt -keystore [Common Name].jks

You should now be able to take your JKS file and install it into the application or server that you are using.

Listing a Keystore File

Another useful command to know is to list out the contents of a keystore file. If something doesn't quite work right or you may have made a mistake in your commands, a list command can help you troubleshoot where you may have went wrong.  This command can be run by:

keytool -list -v -keystore [keystore].jks

CACERTS Keystore

Java comes with a predefined list of trusted certificates which is stored in the cacerts keystore. QuoVadis has been trusted in this list as of JRE v6 Update15 (or JDK 1.6.0_15).  You can list the contents of your cacerts keystore with the following command:

keytool –list –v –keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to add a Root certificate to this file so that Java can trust it, you can run the following command:

keytool –import –trustcacerts –file [path\to\ca.crt] –alias [alias] –keystore $JAVA_HOME/jre/lib/security/cacerts

Note: For these commands, the path may be different depending on where Java is installed.

Deleting an Alias

If you have messed something up within your keystore, all is not lost. You can delete an alias (and any certificates within that alias) with the following command:

keytool -delete -alias [alias] -keystore [keystore].jks

Changing a Java Keystore Password

This command will let you change the password to a Java Keystore file (you will need the original password):

keytool -storepasswd -new [NewPassword] -keystore [keystore].jks

Exporting a Certificate From a Keystore

Use this command to export a certificate from an alias within a keystore file:

keytool -export -alias [alias] -file [filename].crt -keystore [keystore].jks

Exporting a PKCS#12 (*.p12 or *.pfx) file from a Keystore

You are able to export a PKCS#12 file from a Keystore.  This can be helpful if you are migrating from a Java based server where a Keystore is needed to another server type (such as Windows) without the need to generate a new certificate. You will need a full keystore (with private key and public key) in order to do this:

keytool -importkeystore -srckeystore [keystore].jks -destkeystore [filename].p12 -deststoretype PKCS12

Add Feedback