Overview of keytool commands
Below you can find some examples of useful keytool commands, where the value “changeit” always refers to a password and further values refer to filenames (e.g. of type “.jks”) or certificate files (e.g. of type “.cer”) that must be replaced correspondingly.
List certificate from a valid keystore
$> keytool -list -v -storepass changeit -keystore keystore.jks
Print certificate information
$> keytool -printcert -file server_abcd235.cer
Import certificate into a keystore
$> keytool -import -alias abcd235 -keystore keystore.jks -storepass changeit -file server_abcd235.cer
Export certificate out of the keystore
$> keytool -export -alias abcd235 -storepass changeit -keystore keystore.jks -file server_abcd235.cer
Delete certificate from a keystore
$> keytool -delete -storepass changeit -keystore keystore.jks -alias abcd235
Generate self-signed server certificate inclusive of private key
Via the parameter “-dname” your own certificate attributes (CN, OU, O, L, ST, and C) are set:
$> keytool -genkey -noprompt -trustcacerts -keyalg RSA -alias abcd235 -dname "CN=ima, OU=ImageMaster, O=T-Systems International GmbH, L=Leinfelden-Echterdingen, ST=Baden-Wuerttemberg, C=DE" -keypass changeit -storepass changeit -keystore keystore.jks
Import certificate for client authentication into the cacerts.jks keystore
keytool –importcert -alias new_client –file new-client.der –trustcacerts -keystore cacerts.jks
Insert server certificate into trusted keystore of the client
Parameter values like <ALIAS>, <PATH>, <PASSWORD> and the filenames must be adjusted:
$> keytool -import -v -trustcacerts -alias <ALIAS> -file <FILENAME.cer> -keystore <PATH>/<cacerts.jks> -keypass <PASSWORD>
A default Java location is used in the example below, which requires that $JAVA_HOME is set:
$> keytool -import -v -trustcacerts -alias <ALIAS> -file <FILENAME.cer> -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass <PASSWORD>
For related details see the online documentation [Java keytool].