Introduction
Java has a tool named keytool that lets you do common tasks like
- Generate RSA keys and self-signed SSL certificates
- Import and export certificates
- Print certificate information
- Generate and sign certificate signing requests
It also stores everything in a secure file that has a master password in addition to specific passwords for each key it stores. You can think of it kind of like a little password protected SQLite database with your keys and certs (though there is no SQL involved).
Install
keytool comes with Java and is in the bin/ directory of the Java installation.
If you need some tips on installing Java and dealing with multiple versions in Windows
check out my tutorial Install multiple JDK in Windows for Java Development.
Verify it is installed by checking the help output:
keytool -help
The output should look like this:
Key and Certificate Management Tool
Commands:
-certreq Generates a certificate request
-changealias Changes an entry's alias
-delete Deletes an entry
-exportcert Exports certificate
-genkeypair Generates a key pair
-genseckey Generates a secret key
-gencert Generates certificate from a certificate request
-importcert Imports a certificate or a certificate chain
-importpass Imports a password
-importkeystore Imports one or all entries from another keystore
-keypasswd Changes the key password of an entry
-list Lists entries in a keystore
-printcert Prints the content of a certificate
-printcertreq Prints the content of a certificate request
-printcrl Prints the content of a CRL file
-storepasswd Changes the store password of a keystore
Use "keytool -command_name -help" for usage of command_name
Get command help
To see all the options available for each command,
run the command with the -help option. Here
are some examples:
keytool -list -help
keytool -genkeypair -help
keytool -importkeystore -help
Default keystore file
When using the keytool command-line utility, it will operate
on a keystore file. The default file it uses is named .keystore
in your home directory.
$HOME/.keystore
Specify keystore file to use
If you don't want to use the default keystore file,
tell keytool which keystore file to use. In many cases
the option is -keystore, but in other cases it is destkeystore
or srckeystore. Refer to the command help for specific options.
Here is an example of listing all the keys in a specific keystore file:
keytool -keystore mykeys.keystore -list
Keep in this mind as you will generally want to be specific
about which keystore file you are using. For the rest of the
examples in this guide, the -keystore option will be omitted.
List keystore entries
To list all keys being stored in a keystore, use the -list option.
keytool -list
keytool -list -keystore mykeys.keystore
Generating
There are a few keytool commands that can generate various things:
-genkeypair Generates a key pair
-genseckey Generates a secret key
-gencert Generates certificate from a certificate request
-certreq generate cert request
You can generate certificate signing requests and sign requests with keytool using
some of those commands above.
In this guide we'll only show an example of generating the keypair/certificate.
Generate self-signed certificates
This will use the default keystore of $HOME/.keystore and
the default key alias of mykey.
keytool -genkeypair
If you want more control over the details, you can run it with more options like this:
keytool -genkeypair -v -keystore my-release-keys.keystore -alias MyApp -keyalg RSA -keysize 2048 -validity 10000
Delete a key
You can delete a key by its alias like this:
keytool -delete -alias mykey
Export a certificate
This command will export a certificate with the alias mykey
to an output file of mykey.cert.
keytool -exportcert -alias mykey -file mycert.pem
If you want an X509 PEM, add the -rfc option.
keytool -exportcert -alias mykey -file mycert.pem -rfc
Print certificate information
If you have a certificate file, you can print information about it, like:
- The certificate contents
- The certificate signing request
- The certificate revocation list
Keytool also supports printing certificate information from a remote SSL server.
# Print info from a local cert file
keytool -printcert -file mycert.pem
# Print certificate information from a remote SSL server
keytool -printcert -sslserver devdungeon.com:443
If you have a certificate signing request, or a certificate revocation list you want to print information about, you can use the other options:
-printcertreq-printcrl
Importing
There are a few options related to importing. We will look at a couple of these options.
-importcert Imports a certificate or a certificate chain
-importpass Imports a password
-importkeystore Imports one or all entries from another keystore
Import a certificate
To import a certificate like an X509 PEM, you can use -importcert.
Take this example that
# Import cert as default alias of `mykey`
keytool -importcert -file mycert.pem
# Specify the alias to use
keytool -importcert -file mycert.pem -alias myotherkey
Note that when you import a certificate, it may not come with a key.
Import a keystore
You can import an entire keystore in to another keystore with -importkeystore.
Take this example that imports all contents from older.keystore to newer.keystore.
keytool -importkeystore -srckeystore older.keystore -destkeystore newer.keystore
Change password of keystore and keys
-storepasswd-keypasswd
These commands will change the keystore password and the specific key password.
# Change the keystore password to `sEcR3t1`.
# It will prompt for the current password unless provided as arg
keytool -storepasswd
# Change key password
# Will prompt for all passwords unless provided as CLI args
keytool -keypasswd -alias mykey
Conclusion
After reading this guide, you should know how to use Java's keytool to do
all kinds of common tasks with certificates like:
- Generate RSA keys and self-signed SSL certificates
- Import and export certificates
- Print certificate information
- Generate and sign certificate signing requests