Show Menu

JAVA keytool Cheat Sheet by

The most common JAVA Keytool commands

trustS­tore, keyStore

The only difference between trustS­tores and keyStores is what they store:

- trustStore: certif­icates from other parties that you expect to commun­icate with, or from Certif­icate Author­ities that you trust to identify other parties,
- keyStore: private keys, and the certif­icates with their corres­ponding public keys.

How do you spot a root CA ?

- Root certif­icates are self-s­igned,
- Self-s­igned certif­icates have the same issuer and subject,
- The "­CA" field is set to true.

Create, generate

Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate a keystore and self-s­igned certif­icate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keysto­re.jks -storepass password -validity 360 -keysize 2048
Generate a certif­icate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keysto­re.jks -file mydoma­in.csr

Import, export

Import a root or interm­ediate CA certif­icate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Import a signed primary certif­icate to an existing Java keystore
keytool -import -trust­cacerts -alias mydomain -file mydoma­in.crt -keystore keysto­re.jks
Import New CA into Trusted Certs
keytool -import -trust­cacerts -file /path/­to/­ca/­ca.pem -alias CA_ALIAS -keystore $JAVA_­HOM­E/j­re/­lib­/se­cur­ity­/ca­certs

Check, list

Check a stand-­alone certif­icate
keytool -printcert -v -file mydoma­in.crt
Check which certif­icates are in a Java keystore
keytool -list -v -keystore keysto­re.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keysto­re.jks -alias mydomain
List Trusted CA Certs
keytool -list -v -keystore $JAVA_­HOM­E/j­re/­lib­/se­cur­ity­/ca­certs


Delete a certif­icate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keysto­re.jks


Change a Java keystore password
keytool -store­passwd -new new_st­orepass -keystore keysto­re.jks
The password must be provided to all commands that access the keystore contents. For such commands, if a -storepass option is not provided at the command line, the user is prompted for it.


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Conceptual Database Design Cheat Sheet
          Selenium WebDriver Cheat Sheet Cheat Sheet

          More Cheat Sheets by TME520

          Lantern Light for MSDOS keyboard mapping Cheat Sheet
          Top 30 linux shell tricks Cheat Sheet
          Anki Vector Cheat Sheet