Java

Most Java applications use the keystore that's supplied with JDK to store cryptographic keys, X.509 certificate chain information, and trusted certificates. The default JDK keystore in Oracle Linux is the /etc/pki/java/cacerts file. You can use the keytool command to generate, install, and manage certificates in the Java keystore.

The following examples show how you might use the keytool command.

List the contents of the keystore, /etc/pki/java/cacerts:
```
sudo keytool -list [-v] -keystore /etc/pki/java/cacerts
```
The default keystore password is changeit. Change this password as soon as possible. If specified, the verbose option -v displays detailed information.
Change the password for a keystore, for example, /etc/pki/java/cacerts:
```
sudo keytool -storepasswd -keystore /etc/pki/java/cacerts
```
Create a keystore (keystore.jks).
When creating a keystore you can:
- Manage public and private key pairs and certificates from entities that you trust.
- Generate a public and private key pair by using the RSA algorithm and a key length of 3072 bits.
- Create a self-signed certificate that includes the public key and the specified distinguished name information.
```
sudo keytool -genkeypair -alias engineering -keyalg RSA -keysize 3072 \
-dname "CN=www.unserdom.com, OU=Eng, O=Unser Dom Corp, C=US, ST=Ca, L=Sunnydale" \
-keypass pkpassword -keystore keystore.jks \
-storepass storepassword -validity 100
```
In the command, pkpassword is the private key password and storepassword is the keystore password. In this example, the certificate is valid for 100 days and is associated with the private key in a keystore entry that has the alias engineering.
Display the contents of a certificate file in a human-readable form:
```
sudo keytool -printcert [-v] -file cert.cer
```
If specified, the verbose option -v displays detailed information.
Generate a CSR in the file carequest.csr for submission to a CA:
```
sudo keytool -certreq -file carequest.csr
```
The CA signs and returns a certificate or a certificate chain that authenticates the public key.
Import the root certificate or certificate chain for the CA from the ACME.cer file into the keystore.jks keystore and assign it the alias acmeca:
```
sudo keytool -importcert -alias acmeca [-trustcacerts] -file ACME.cer \
-keystore keystore.jks -storepass storepassword
```
If specified, the -trustcacerts option instructs keytool to add the certificate only if it can validate the chain of trust against the existing root CA certificates in the cacerts keystore. Or, you can use the keytool -printcert command to check that the certificate's fingerprint matches the fingerprint that the CA publishes.
Import the signed certificate for the organization after you have received it from the CA:
```
sudo keytool -importcert -v -trustcacerts -alias acmeca -file ACMEdom.cer \
-keystore keystore.jks -storepass storepassword
```
In this example, the file containing the certificate is ACMEdom.cer. The -alias option specifies the entry for the first entity in the CA's root certificate chain. The signed certificate is added to the front of the chain and becomes the entity that's addressed by the alias name.

Delete the certificate with the alias aliasname from the keystore.jks keystore:

sudo keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword

Export the certificate with the alias aliasname as a binary PKCS7 format file, which includes both the certificate chain and the issued certificate:
```
sudo keytool -exportcert -noprompt -alias aliasname -file output.p7b \
-keystore keystore.jks -storepass storepassword
```
Export the certificate with the alias aliasname as a base64 encoded text file (also referred to as PEM or RFC 1421).
```
sudo keytool -exportcert -noprompt -rfc -alias aliasname -file output.pem \
-keystore keystore.jks -storepass storepassword
```
For a certificate chain, the file includes only the first certificate in the chain, which authenticates the public key of the aliased entity.

For more information, see the keytool(1) manual page.