Wednesday, July 9, 2014

Java Keytool Commands

A) Key Store Generation

1) Generate a Java keystore and key pair

    keytool -genkey -alias demo -keyalg RSA -keystore keystore.jks -storepass password

2) Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias demo -keystore keystore.jks -storepass password -file demo.csr

3) Generate a keystore and self-signed certificate

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360

B) Import Certificates

1) Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file test.crt -keystore keystore.jks -storepass password

2) Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias demo -file demo.crt -keystore keystore.jks -storepass password

3) Import New CA into Trusted Certs

    keytool -import -trustcacerts -file demo.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

C) Export Certificates


1) Export a certificate from a keystore

    keytool -export -alias demo -file demo.crt -keystore keystore.jks -storepass password

D) Check/List/View

1) Check a stand-alone certificate

    keytool -printcert -v -file demo.crt

2) Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks -storepass password

3) Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -storepass password -alias demo

E) List Trusted CA Certs
1) keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

D) Delete Certificates

1) Delete a certificate from a Java Keytool keystore

    keytool -delete -alias demo -keystore keystore.jks -storepass password

F) Change Passwords

1) Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks -storepass password

2) Change a private key password

    keytool -keypasswd -alias client -keypass old_password -new new_password -keystore client.jks -storepass password