Overview of keytool commands

Below you can find some examples of useful keytool commands, where the value “changeit” always refers to a password and further values refer to filenames (e.g. of type “.jks”) or certificate files (e.g. of type “.cer”) that must be replaced correspondingly.

List certificate from a valid keystore

$> keytool -list -v -storepass changeit -keystore keystore.jks

Print certificate information

$> keytool -printcert -file server_abcd235.cer

Import certificate into a keystore

$> keytool -import -alias abcd235 -keystore keystore.jks -storepass changeit -file server_abcd235.cer

Export certificate out of the keystore

$> keytool -export -alias abcd235 -storepass changeit -keystore keystore.jks -file server_abcd235.cer

Delete certificate from a keystore

$> keytool -delete -storepass changeit -keystore keystore.jks -alias abcd235

Generate self-signed server certificate inclusive of private key

Via the parameter “-dname” your own certificate attributes (CN, OU, O, L, ST, and C) are set:

$> keytool -genkey -noprompt -trustcacerts -keyalg RSA -alias abcd235 -dname "CN=ima, OU=ImageMaster, O=T-Systems International GmbH, L=Leinfelden-Echterdingen, ST=Baden-Wuerttemberg, C=DE" -keypass changeit -storepass changeit -keystore keystore.jks

Import certificate for client authentication into the cacerts.jks keystore

keytool –importcert -alias new_client –file new-client.der –trustcacerts -keystore cacerts.jks

Insert server certificate into trusted keystore of the client

Parameter values like <ALIAS>, <PATH>, <PASSWORD> and the filenames must be adjusted:

$> keytool -import -v -trustcacerts -alias <ALIAS> -file <FILENAME.cer> -keystore <PATH>/<cacerts.jks> -keypass <PASSWORD>

A default Java location is used in the example below, which requires that $JAVA_HOME is set:

$> keytool -import -v -trustcacerts -alias <ALIAS> -file <FILENAME.cer> -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass <PASSWORD>

For related details see the online documentation [Java keytool].