Keytool

The Java Keystore is a file that contains your security certificates and keys. It’s a convenient way to ship security information around with your application, but requires a little administration work to have one built.

The KeyStore java class natively works with this technology so that your security information can be easily used inside of your applications.

In today’s post, I’ll go through some basic usage of the keytool application. There are so many more features to this application that what I’ve listed below, so check out the man page for keytool as a reference.

Creating a keystore and client requests

Create a keystore with a new key pair

$ keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password

This creates a key store and puts a key pair in it (based on the subject details that you provided). You can verify that the key pair is in the store by listing it out:

$ keytool -list -keystore keystore.jks 

You should end up with output like the following

Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mydomain, 08/02/2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 0F:42:6D:F6:48:85:99:4C:B5:97:0B:25:10:BF:83:F9:D5:2A:80:77

The text PrivateKeyEntry tells us the particular entry contains a secret/private key.

keytool can also generate certificate signing requests from this created keystore now:

$ keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -file mydomain.csr

The file mydomain.csr now contains the certificate request block.

In cases where you aren’t going to a certificate authority and you just want to generate a self-signed certificate, you can just do the following:

$ keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 365

This puts a self-signed certificate, valid for 1 year into the same store.

If you’ve imported a secret into your keystore that you’d like to change the password on, you can do the following:

Take note! This isn’t changing the keystore’s password. This is changing the private key’s password.

$ keytool -keypasswd -alias mydomain -keypass secret -new new_secret_password -keystore keystore.jks -storepass password

If you have a PKCS 12 (sometimes referred to as PFX), you can create a keystore with the key information using the following:

$ keytool -importkeystore -srckeystore keyfile.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Importing and exporting certificates

If you need to trust an intermediate or root certificate, you can import them like so:

$ keytool -import -trustcacerts -alias visa -file Visa_eCommerce_Root.crt -keystore keystore.jks -storepass password

Taking a look at how this entry looks in the keystore:

visa, 08/02/2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62

You see that this item doesn’t mention PrivateKeyEntry as there is no secret stored in this entry, it’s only the certificate (public key) so it lists as trustedCertEntry.

The visa certificate that I’d just imported can now be exported with the following command:

$ keytool -export -alias visa -file visa.crt -keystore keystore.jks -storepass password

Viewing certificate detail

You can view the details of any certificate that you have on your file system using keytool as well:

$ keytool -printcert -v -file visa.crt

The verbose output allows you to check all of the details in the certificate. You can perform this certificate printing process on any certificate inside of a keystore, as well. In this case though, you need to refer to the certificate by its alias:

$ keytool -list -v -keystore keystore.jks -storepass password -alias visa

You’ll end up with identical output.

Other utilities

Finally, you can remove certificates from a keystore. Again, you need to reference the certificate by its alias:

$ keytool -delete -alias visa -keystore keystore.jks -storepass password

You can change the password for a keystore as well:

$ keytool -storepasswd -new my_new_password -keystore keystore.jks -storepass password