3.3.2 About the keytool Command

Most Java applications use the keystore that is supplied with the JDK to store cryptographic keys, X.509 certificate chain information, and trusted certificates. The default JDK keystore on Oracle Linux is the file /etc/pki/java/cacerts. You can use the keytool command to generate self-signed certificates and to install and manage certificates in the keystore. Note that the keytool command syntax changed in Java SE 6. The examples given here are for that version of keytool.

The following are some sample keytool commands.

List the contents of the keystore /etc/pki/java/cacerts. The default keystore password is changeit. If specified, the verbose option -v displays detailed information.

# keytool -list [-v] -keystore /etc/pki/java/cacerts

Change the password for a keystore (for example, /etc/pki/java/cacerts).

# keytool -storepasswd -keystore /etc/pki/java/cacerts

Create a new keystore keystore.jks for managing your public/private key pairs and certificates from entities that you trust, generate a public/private key pair using the RSA algorithm and a key length of 1024 bits, and create a self-signed certificate that includes the public key and the specified distinguished name information. pkpassword is the private key password and storepassword is the keystore password. The certificate is valid for 100 days and is associated with the private key in a keystore entry that has the alias engineering.

# keytool -genkeypair -alias mycert -keyalg RSA -keysize 1024 \
-dname "CN=www.unserdom.com, OU=Eng, O=Unser Dom Corp, C=US, ST=Ca, L=Sunnydale" \
-alias engineering -keypass pkpassword -keystore keystore.jks \
-storepass storepassword -validity 100

Print the contents of a certificate file in a human-readable form. If specified, the verbose option -v displays detailed information.

# keytool -printcert [-v] -file cert.cer

Generate a CSR in the file carequest.csr for submission to a CA. The CA signs and returns a certificate or a certificate chain that authenticates your public key.

# keytool -certreq -file carequest.csr

Import the root certificate or certificate chain for the CA from the file ACME.cer into the keystore keystore.jks and give it the alias acmeca. If specified, the -trustcacerts option instructs keytool to add the certificate only if it can validate the chain of trust against the existing root CA certificates in the cacerts keystore. Alternatively, use the keytool -printcert command to check that the certificate's fingerprint matches the fingerprint that the CA publishes.

# keytool -importcert -alias acmeca [-trustcacerts] -file ACME.cer \
  -keystore keystore.jks -storepass storepassword

Import the signed certificate for your organization after you have received it from the CA. In this example, the file containing the certificate is ACMEdom.cer. The -alias option specifies the entry for the first entity in the CA's root certificate chain. The signed certificate is added to the front of the chain and becomes the entity that is addressed by the alias name.

# keytool -importcert -v -trustcacerts -alias acmeca -file ACMEdom.cer \
  -keystore keystore.jks -storepass storepassword

Delete the certificate with the alias aliasname from the keystore keystore.jks.

# keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword

Export the certificate with the alias aliasname as a binary PKCS7 format file, which includes the supporting certificate chain as well as the issued certificate.

# keytool -exportcert -noprompt -alias aliasname -file output.p7b \
  -keystore keystore.jks -storepass storepassword

Export the certificate with the alias aliasname as a base 64 encoded text file (also referred to as PEM or RFC 1421). For a certificate chain. the file includes only the first certificate in the chain, which authenticates the public key of the aliased entity.

# keytool -exportcert -noprompt -rfc -alias aliasname -file output.pem \
  -keystore keystore.jks -storepass storepassword

For more information, see the keytool(1) manual page.