Keytool is a certificate management utility included with Java. It allows users to create a single store, called a keystore, that can hold multiple certificates within it. This file can then be assigned or installed to a server and used for SSL/TLS connections.
Java Keystore files associate each certificate with a unique alias. Think of a keystore file like a lunch box. A lunch box, although thought of as single item, a 'box', can contain multiple items inside of it that serve different functions. Although it comprises of several components, what you end up taking to work is the entire lunchbox:
If you apply this logic to a keystore file, your 'lunchbox' is the keystore.jks file. The 'sandwich', 'drink' and 'snack' are all different certificates (held within Aliases) that make up the entire file.
|Alias = Root
||Alias = Intermediate
||Alias = Server
Keystore files can have a file extension of *.jks or *.keystore. *.jks is more commonly used. This file type is used on a number of servers; typically servers that use Java.
Creating a Keystore File
This section will take you through the most basic way to get your SSL certificate installed using Keytool.
Note: Data in the command line within [ ] need to be replaced with information specific to your installation and situation (also ensuring that you replace the [ ]). A example would be
-keystore [Common Name].jks would need to be replaced to
-keystore myserver.local.jks (or whatever your Common Name may be).
First, you will need to create a new keystore file (called [Common Name].jks) with a private key:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore [Common Name].jks -dname "CN=[Common Name], OU=[organisationunit], O=[organisation], L=[town/city], ST=[state/province], C=[GB]"
Note: Ensure that you take note of the alias in this command. The one we use above is "server". In the final step, you must install your certificate on top of this alias name. If you decided to change the alias name from the one used above, then you will need to ensure you make the same change going forward.
Next, you are going to create a CSR from this private key and keystore:
keytool -certreq -alias server -file [Common Name].csr -keystore [Common Name].jks
Give this [Common Name].csr file to TrustLink to request a certificate. In the meantime while you are waiting for a certificate, you can install the root and intermediate files.
Install the Root certificate into an alias called Root:
keytool -import -alias Root -trustcacerts -file [qvrca2].cer -keystore [Common Name].jks
Install the Intermediate certificate into an alias called Intermediate (or Int for short):
keytool -import -alias Intermediate -trustcacerts -file [evsslicag2].cer -keystore [Common Name].jks
Once you have received your certificate file back from QuoVadis, you can install it into the Keystore.
Install the certificate into your keystore:
keytool -import -alias server -file [My Certificate].crt -keystore [Common Name].jks
You should now be able to take your JKS file and install it into the application or server that you are using.
Listing a Keystore File
Another useful command to know is to list out the contents of a keystore file. If something doesn't quite work right or you may have made a mistake in your commands, a list command can help you troubleshoot where you may have went wrong. This command can be run by:
keytool -list -v -keystore [keystore].jks
Java comes with a predefined list of trusted certificates which is stored in the cacerts keystore. QuoVadis has been trusted in this list as of JRE v6 Update15 (or JDK 1.6.0_15). You can list the contents of your cacerts keystore with the following command:
keytool –list –v –keystore $JAVA_HOME/jre/lib/security/cacerts
If you need to add a Root certificate to this file so that Java can trust it, you can run the following command:
keytool –import –trustcacerts –file [path\to\ca.crt] –alias [alias] –keystore $JAVA_HOME/jre/lib/security/cacerts
Note: For these commands, the path may be different depending on where Java is installed.
Deleting an Alias
If you have messed something up within your keystore, all is not lost. You can delete an alias (and any certificates within that alias) with the following command:
keytool -delete -alias [alias] -keystore [keystore].jks
Changing a Java Keystore Password
This command will let you change the password to a Java Keystore file (you will need the original password):
keytool -storepasswd -new [NewPassword] -keystore [keystore].jks
Exporting a Certificate From a Keystore
Use this command to export a certificate from an alias within a keystore file:
keytool -export -alias [alias] -file [filename].crt -keystore [keystore].jks
Exporting a PKCS#12 (*.p12 or *.pfx) file from a Keystore
You are able to export a PKCS#12 file from a Keystore. This can be helpful if you are migrating from a Java based server where a Keystore is needed to another server type (such as Windows) without the need to generate a new certificate. You will need a full keystore (with private key and public key) in order to do this:
keytool -importkeystore -srckeystore [keystore].jks -destkeystore [filename].p12 -deststoretype PKCS12