The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Most Java applications use the keystore
that is supplied with the JDK to store cryptographic keys, X.509
certificate chain information, and trusted certificates. The
default JDK keystore on Oracle Linux is the file
/etc/pki/java/cacerts
. You can use the
keytool command to generate self-signed
certificates and to install and manage certificates in the
keystore. Note that the keytool command
syntax changed in Java SE 6. The examples given here are for
that version of keytool.
The following are some sample keytool commands.
List the contents of the keystore
/etc/pki/java/cacerts
. The default keystore
password is changeit
. If specified, the
verbose option -v displays detailed
information.
# keytool -list [-v] -keystore /etc/pki/java/cacerts
Change the password for a keystore (for example,
/etc/pki/java/cacerts
).
# keytool -storepasswd -keystore /etc/pki/java/cacerts
Create a new keystore keystore.jks
for
managing your public/private key pairs and certificates from
entities that you trust, generate a public/private key pair
using the RSA algorithm and a key length of 1024 bits, and
create a self-signed certificate that includes the public key
and the specified distinguished name information.
pkpassword
is the private key
password and storepassword
is the
keystore password. The certificate is valid for 100 days and is
associated with the private key in a keystore entry that has the
alias engineering
.
#keytool -genkeypair -alias mycert -keyalg RSA -keysize 1024
\-dname "CN=www.unserdom.com, OU=Eng, O=Unser Dom Corp, C=US, ST=Ca, L=Sunnydale"
\-alias engineering -keypass
\pkpassword
-keystore keystore.jks-storepass
storepassword
-validity 100
Print the contents of a certificate file in a human-readable form. If specified, the verbose option -v displays detailed information.
# keytool -printcert [-v] -file cert.cer
Generate a CSR in the file carequest.csr
for
submission to a CA. The CA signs and returns a certificate or a
certificate chain that authenticates your public key.
# keytool -certreq -file carequest.csr
Import the root certificate or certificate chain for the CA from
the file ACME.cer
into the keystore
keystore.jks
and give it the alias
acmeca
. If specified, the
-trustcacerts option instructs
keytool to add the certificate only if it can
validate the chain of trust against the existing root CA
certificates in the cacerts
keystore.
Alternatively, use the keytool -printcert
command to check that the certificate's fingerprint matches the
fingerprint that the CA publishes.
#keytool -importcert -alias acmeca [-trustcacerts] -file ACME.cer
\-keystore keystore.jks -storepass
storepassword
Import the signed certificate for your organization after you
have received it from the CA. In this example, the file
containing the certificate is ACMEdom.cer
.
The -alias option specifies the entry for the
first entity in the CA's root certificate chain. The signed
certificate is added to the front of the chain and becomes the
entity that is addressed by the alias name.
#keytool -importcert -v -trustcacerts -alias acmeca -file ACMEdom.cer
\-keystore keystore.jks -storepass
storepassword
Delete the certificate with the alias
aliasname
from the keystore
keystore.jks
.
# keytool -delete -alias aliasname
-keystore keystore.jks -storepass storepassword
Export the certificate with the alias
aliasname
as a binary PKCS7 format
file, which includes the supporting certificate chain as well as
the issued certificate.
#keytool -exportcert -noprompt -alias
\aliasname
-file output.p7b-keystore keystore.jks -storepass
storepassword
Export the certificate with the alias
aliasname
as a base 64 encoded text
file (also referred to as PEM or RFC 1421). For a certificate
chain. the file includes only the first certificate in the
chain, which authenticates the public key of the aliased entity.
#keytool -exportcert -noprompt -rfc -alias
\aliasname
-file output.pem-keystore keystore.jks -storepass
storepassword
For more information, see the keytool(1)
manual page.