Keytool is a command-line utility that lets you manage/store cryptographic keys and certificates.
If your system has Java installed, you can use the keytool command to import a CA certificate, list certificates, create self-signed certificates, store passphrases and public/private keys, and do many more things.
Confused? Fret not; I will explain it in simpler terms as you read.
Note that I use Linux to test the commands and explain to you a bit more about it with examples.
You can use Keytool commands on Windows and macOS as well.
What is a Keytool Command?
It is a key and certificate management utility. It allows you to store private/public key pairs, which are usually to verify/authenticate access to services.
Considering the title of this article, one can assume that the command is used mainly by system administrators and developers.
For the most part, yes, but a user can get creative with the keytool command to store passphrases and secret keys for authentication, encryption, and decryption purposes. So, if you are curious, you should try it out on your system.
If you are new to the concept of cryptographic keys, you might want to check out our article on data encryption before you try keytool commands.
Furthermore, checking out the OpenSSL command examples can also give you some idea of how it is different and what you can do with any of them.
Create a Self-Signed Certificate
keytool -genkeypair -alias -keypass -validity -storepass Unlike an SSL certificate that you purchase, a self-signed certificate is only used for development/testing purposes to use a secure connection.
You can generate one using the keytool command syntax mentioned above. For example, here’s what it looks like:
keytool -genkeypair -alias geekflare -keypass passforkeystore -validity 365 -storepass passforkeystoreYou can use any name for the alias; I use geekflare as a placeholder text. You can customize the validity and specify a password for the Keystore replacing “passforkeystore” in the command above.
Note that only one password is supported for PKCS12 KeyStores. However, it is a convenient Keystore type that is not Java-specific.
If you need two different passwords for your Keystore and the certificate, you might want to explicitly tell the keytool command to use another interface.
You can read more about it in its official documentation.
Once you proceed with the creation, it will ask for additional details for authenticity. Here’s what it should look like:
What is your first and last name?
[Unknown]: Ankush
What is the name of your organizational unit?
[Unknown]: Geekflare
What is the name of your organization?
[Unknown]: Geekflare
What is the name of your City or Locality?
[Unknown]: Bhubaneswar
What is the name of your State or Province?
[Unknown]: Odisha
What is the two-letter country code for this unit?
[Unknown]: 91
Is CN=Ankush, OU=Geekflare, O=Geekflare, L=Bhubaneswar, ST=Odisha, C=91 correct?
[no]: yesCreate a Java Keystore and Key Pair
keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias geekflarejava -validity 3650Generate a Java Keystore and Import a certificate
Ensure you have a valid certificate or have generated one earlier; once done, you can import it and generate a Java Keystore.
keytool -importcert -file test.crt -keystore truststore.jks -alias geekflareGenerate a Key Pair to the Default Keystore With Subject
You can quickly generate a keypair (say with the name “ca”) using the following command:
keytool -alias ca -dname CN=CA -genkeypairCreate a Chain of Signed Certificates
Suppose you have created key pairs of ca, and ca1. You can create a chain of signed certificates where ca will sign ca1 with the following commands:
keytool -alias ca1 -certreqkeytool -alias ca -gencert -ext san=dns:ca1keytool -alias ca1 -importcertYou can complete the chain with two more key pairs ca1 and ca2, where ca1 will sign ca2.
Importing a Certificate
If you want to import a certificate from an available file, here’s what you can do:
keystool -import -alias geekflare -file geekflareserver.cerCreate a Certificate Signing Request (CSR) for the existing Keystore
Considering you already created a Keystore, you can generate a CSR.
keytool -certreq -keyalg rsa -keystore keystore.jks -alias server -file geekflare.csrList Certificates Stored in Java Keystore
A keystore can have multiple entries of certificates. Assuming we are checking the list of certificates in “keystore.jks” database, here’s what we need to type in:
keytool -v -list -keystore keystore.jksThe output for this will look like this:
keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: geekflarecert
Creation date: 16-Nov-2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ankush, OU=Geek, O=Geekflare, L=Bhubaneswar, ST=od, C=91
Issuer: CN=Ankush, OU=Geek, O=Geekflare, L=Bhubaneswar, ST=od, C=91
Serial number: a0b9a99
Valid from: Wed Nov 16 09:42:37 IST 2022 until: Sat Nov 13 09:42:37 IST 2032
Certificate fingerprints:
SHA1: 23:7C:65:A7:A6:84:18:F8:45:04:92:DF:D4:BB:0F:91:6D:A5:C5:BE
SHA256: C0:25:ED:B8:CF:1A:E6:E1:C5:75:A8:10:8F:CD:BE:42:26:96:9C:9A:FA:74:65:07:71:06:9A:2C:F5:80:FE:7F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3Check the Contents of a Single Certificate
Considering you already have a generated certificate, you can check more about it using the following:
keytool -v -printcert -file server.crtView Certificates in a Java Keystore
You can list all the certificates from a Keystore database. Here’s what the command looks like:
keytool -v -list -keystore keystore.jksView Keystore Using an Alias and Keystore
If you want to check a Keystore using its alias name that you set when creating it, type in the following:
keytool -v -list -keystore keystore.jks -alias geekflareserverList Certificates in KeyStore
If you want to check the certificates stored in the default Keystore, use the command:
keytool -list -storepass passforkeystoreYou need to replace “passforkeystore” with the password you have set.
View Certificate Information
If you need to check the details for a single certificate, you can use its alias without specifying the keystone database.
Here’s how it looks:
keytool -list -v -alias geekflare -storepass passforkeystoreView Certificate in PEM Format
PEM is one of the most common formats for certificates and cryptographic keys. If you want to check a certificate with PEM, type in the following:
keytool -v -printcert -file geekflare.crt -rfcChange a Java Keystore Password
If you have already created a password for the Java Keystore, you can change the password using the command:
keytool -delete -alias geekflare -keystore keystore.jksDelete a Certificate from Java Keystore
You can specify the Java Keystore and its alias to delete it. For instance:
keytool -delete -alias geekflare -keystore keystore.jksExplore The Command and Get Help
The command has several arguments and extensions to get many things done. Depending on your use case, you may or may not need to use all of them.
So, if you want to dive in deep for the command options, you can always type in:
keytool -helpIn either case, if you are using a Linux terminal, I would recommend reading the man (manual) page with this command:
man keytoolWith the man command, you can get all the details you need about the keytool command.
So, keep it your superpower to learn all you can about it!
Wrapping Up
The path of files and other customization options might be a little different from the platform you use. You can refer to Oracle’s documentation for the standardized options as well.
Keytool is an excellent tool for a range of tasks. Test it out and see what you can do with it!
You can also explore some Linux commands to maintain and keep the systems running optimally.
