A Keytool Command Summary

The keytool commands are commonly used for creating and using JKS and PKCS12 keystores with Oracle WebLogic Server.

In Table A-1, an option surrounded by brackets ([]) indicates that if you omit the option from the command, you are subsequently prompted to enter that option's value. For example, if you follow Oracle's strong recommendation to omit command options for specifying passwords, you are prompted for those passwords after you enter the command, as in the following example. (User input is shown in bold.)

C:\DOMAIN_NAME>keytool -genkeypair -keystore MyKeyStore
Enter keystore password:
Re-enter new password:

Unlike passwords that are specified in command-line options, a password entered in response to a prompt is not echoed in the command window and is not captured in logs. This practice helps keep your passwords secure.

Table A-1 Commonly Used keytool Commands

Command Description
keytool -genkeypair -keystore keystorename
-storepass keystorepassword -storetype keystoretype

Generates a key pair (a public key and associated private key) and self-signed digital certificate in a keystore. If the keystore does not exist, it is created.

keytool -importcert -alias aliasforprivatekey 
-file privatekeyfilename.pem 
-keyfilepass privatekeypassword 
-keystore keystorename -storepass keystorepassword -storetype keystoretype

Updates the self-signed digital certificate with one signed by a trusted CA.

keytool -importcert -alias rootCA 
-trustcacerts -file RootCA.pem 
-keystore trust.jks -storepass keystorepassword -storetype keystoretype

keytool -importcert -alias intermediate 
-trustcacerts -file Intermediate.pem 
-keystore keystorename -storepass keystorepassword -storetype keystoretype

Creates a custom keystore to be used for holding an intermediate CA certificate.

  • The first keytool command creates the keystore, trust.jks, which holds the root CA certificate.

  • The second keytool command imports the intermediate CA certificate into trust.jks.

This enables WebLogic Server's SSL implementation to transmit the intermediate certificate with the server's public certificate to the client during the SSL handshake.

keytool -importcert -alias aliasfortrustedca 
-trustcacerts -file trustedcafilename.pem 
-keystore keystorename -storepass keystorepassword -storetype keystoretype

Loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created.

keytool -certreq -alias alias 
-sigalg sigalg 
-file certreq_file 
-keyfilepass privatekeypassword 
-storetype keystoretype 
-keystore keystorename 
-storepass keystorepassword 

Generates a Certificate Signing Request (CSR), using the PKCS#10 format, and a self-signed certificate with a private key.

Stores the CSR in the specified certreq_file, and the certificate/private key pair as a key entry in the specified keystore under the specified alias.

keytool -list -keystore keystorename 

Displays the contents of the keystore.

keytool -delete -keystore keystorename
-storepass keystorepassword
-alias privatekeyalias

Deletes the entry identified by the specified alias from the keystore.

keytool -help

Provides online help for keytool.