Java KeyStore or JKS is a repository of security certificates. Like that, the Java Keytool is a certificate management utility which makes it possible to store and manage the certificates in the Keystore. The JKS include either authorization certificates or public key certificates alongside the private keys. While setting up the Java Keystore, you will create the .jks file which contains a private key. Then you have to proceed to the CSR Generation in order to obtain an SSL certificate. Apart from this, you can utilize the Keytool or the Keystore to perform several actions such as viewing the certificate or key details.
So, we handpicked some of the best Java Keytool Keystore commands to help you in the process. If you are looking for them, this article is for you.
Java Keytool Keystore Commands
Before we starting with the Keytool commands, have a look at this video which presents a live action on the Keytool command line. It will help you in the process.
Java Keytool Commands for Creating and Importing
These are some of the most used and essential Keytool commands for creating the Keystore file, generating a CSR for the certificate, and importing the certificates.
Generate Java Keystore and Key pair
Use this command in the Keytool for generating a Jave Keystore and a Key pair. The key will be generated with the 2048 bit encryption.
keytool -genkey -alias yourdomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate CSR for an existing Java Keystore
If you already have a Java Keystore generated and needed to create a CSR for it, use this command.
keytool -certreq -alias yourdomain -keystore keystore.jks -file yourdomain.csr
Import intermediate or root CA Certificate to an existing Java Keystore
Make sure that you replace the Keystore file name with the correct one and the certificate name too.
keytool -import -trustcacerts -alias root -file certname.crt -keystore keystore.jks
Import a signed primary Certificate to the existing Java Keystore
keytool -import -trustcacerts -alias yourdomain -file yourdomain.crt -keystore keystore.jks
Generate Keystore and self-signed Certificate
If you want to create a Keystore as well as a self-signed certificate at the same time using a single line of command, use the following.
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Java Keytool Commands for Checking Purposes
Like already mentioned, you could check the existing information in your Keystore by utilizing some commands. Have a look at them.
Check a stand-alone Certificate
Use this command to check a stand-alone certificate in your Keystore. Make sure that you replaced the “yourdomain.crt” with the name of your certificate.
keytool -printcert -v -file yourdomain.crt
Check which Certificates are in the Java Keystore
keytool -list -v -keystore keystore.jks
Check a particular Keystore entry using the alias
keytool -list -v -keystore keystore.jks -alias yourdomain
Common Java Keytool Commands
These are some of the most commonly used Jave Keytool commands used for the tasks such as deleting the Keystore, changing the password, and importing or exporting the data.
Delete a Certificate from the Keytool Keystore
It is common to have some situations where you have to delete certificates from the Keystore. To do this, use these Java Keytools command.
keytool -delete -alias yourdomain -keystore keystore.jks
Change the Java Keystore password
To ensure the security of your certificate and keys, it is good to change the Keystore password more often. In such situations, use this command in the Keytool.
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export a Certificate from the Keystore
If you want to export an already created certificate from the Keystore for further usage, these commands can help.
keytool -export -alias yourdomain -file yourdomain.crt -keystore keystore.jks
List All Trusted CA Certificates
To have a look at the list of trusted CA certificates in your Keystore, use this.
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA (Certificate Authority) into Trusted Certs
If you have a new CA (Certificate Authority) to be included in the trusted CA list on the Keystore, use this command.
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
The actions on the Keytool should be taken with extreme caution. Any incorrect mismatched command may result in some serious problems to your Keystore certificate or other files. For example, if you mistyped a command which matches the deletion command, your certificate will be deleted from the server or computer. So, make sure that everything is typed correctly before proceeding.
Also, make sure to replace the certificate names and the website addresses which we already mentioned above. If you have any questions or doubts regarding any of the above-listed commands in Keytool, feel free to reach us. We will always be happy to help you. Also be sure to check out the OpenSSL commands.