Use keytool to set up and work with JSSE (Java Secure Socket Extension) digital certificates. In the Platform Edition, the Application Server uses the JSSE format on the server side to manage certificates and key stores. In both the Platform Edition and Enterprise Edition, the client side (appclient or stand-alone) uses the JSSE format.
The J2SE SDK ships with keytool, which enables the administrator to administer public/private key pairs and associated certificates. It also enables users to cache the public keys (in the form of certificates) of their communicating peers.
To run keytool, the shell environment must be configured so that the J2SE /bin directory is in the path, or the full path to the tool must be present on the command line. For more information on keytool, see the keytool documentation at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
The following examples demonstrate usage related to certificate handling using JSSE tools:
Create a self-signed certificate in a keystore of type JKS using an RSA key algorithm. RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.
| keytool  -genkey -noprompt -trustcacerts -keyalg RSA -alias ${cert.alias} 
-dname  ${dn.name} -keypass ${key.pass} -keystore ${keystore.file} 
-storepass ${keystore.pass} | 
Another example of creating a certificate is shown in To generate a certificate using the keytool utility.
Create a self-signed certificate in a keystore of type JKS using the default key algorithm.
| keytool -genkey -noprompt -trustcacerts -alias ${cert.alias} -dname  
${dn.name} -keypass ${key.pass} -keystore ${keystore.file} -storepass 
${keystore.pass} | 
An example of signing a certificate is shown in To sign a digital certificate using the keytool utility
Display available certificates from a keystore of type JKS.
| keytool -list -v  -keystore ${keystore.file} -storepass ${keystore.pass} | 
Display certificate information from a keystore of type JKS.
| keytool  -list -v  -alias ${cert.alias} -keystore ${keystore.file} 
-storepass ${keystore.pass} | 
Import an RFC/text-formatted certificate into a JKS store. Certificates are often stored using the printable encoding format defined by the Internet RFC (Request for Comments) 1421 standard instead of their binary encoding. This certificate format, also known as Base 64 encoding, facilitates exporting certificates to other applications by email or through some other mechanism.
| keytool -import -noprompt -trustcacerts -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass} | 
Export a certificate from a keystore of type JKS in PKCS7 format. The reply format defined by the Public Key Cryptography Standards #7, Cryptographic Message Syntax Standard, includes the supporting certificate chain in addition to the issued certificate.
| keytool  -export -noprompt  -alias ${cert.alias} -file ${cert.file} 
-keystore ${keystore.file} -storepass ${keystore.pass} | 
Export a certificate from a keystore of type JKS in RFC/text format.
| keytool  -export -noprompt -rfc  -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass} | 
Delete a certificate from a keystore of type JKS.
| keytool  -delete -noprompt -alias ${cert.alias}  -keystore ${keystore.file} 
-storepass ${keystore.pass} | 
Another example of deleting a certificate from a keystore is shown in Deleting a Certificate Using the keytool Utility
See also:
 To generate a certificate using the keytool utility
To generate a certificate using the keytool utilityUse keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run.
Change to the directory where the certificate is to be run.
Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config. For information on changing the location of these files, see To change the location of certificate files.
Enter the following keytool command to generate the certificate in the keystore file, keystore.jks:
| keytool -genkey -alias keyAlias-keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks | 
Use any unique name as your keyAlias. If you have changed the keystore or private key password from their default, then substitute the new password for changeit in the above command.
A prompt appears that asks for your name, organization, and other information that keytool uses to generate the certificate.
Enter the following keytool command to export the generated certificate to the file server.cer (or client.cer if you prefer):
| keytool -export -alias keyAlias-storepass changeit -file server.cer -keystore keystore.jks | 
If a certificate signed by a certificate authority is required, see To sign a digital certificate using the keytool utility.
To create the truststore file cacerts.jks and add the certificate to the truststore, enter the following keytool command:
| keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit | 
If you have changed the keystore or private key password from their default, then substitute the new password for changeit in the above command.
The tool displays information about the certificate and prompts whether you want to trust the certificate.
Type yes, then press Enter.
Then keytool displays something like this:
| Certificate was added to keystore [Saving cacerts.jks] | 
Restart the Application Server.
 To sign a digital certificate using the keytool utility
To sign a digital certificate using the keytool utilityAfter creating a digital certificate, the owner must sign it to prevent forgery. E-commerce sites, or those for which authentication of identity is important can purchase a certificate from a well-known Certificate Authority (CA). If authentication is not a concern, for example if private secure communications is all that is required, save the time and expense involved in obtaining a CA certificate and use a self-signed certificate.
Follow the instructions on the CA’s Web site for generating certificate key pairs.
Download the generated certificate key pair.
Save the certificate in the directory containing the keystore and truststore files, by default domain-dir/config directory. See To change the location of certificate files.
In your shell, change to the directory containing the certificate.
Use keytool to import the certificate into the local keystore and, if necessary, the local truststore.
| keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit | 
If the keystore or private key password is not the default password, then substitute the new password for changeit in the above command.
Restart the Application Server.
To delete an existing certificate, use the keytool -delete command, for example:
keytool -delete -alias keyAlias -keystore keystore-name -storepass password
For a complete list of possible options for the -delete command, refer to the keytool documentation at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
See Also: