If your system has Java installed, you can use the keytool command to import a CA certificate, list certificates, create self-signed certificates, store passphrases and public/private keys, and do many more things. Confused? Fret not; I will explain it in simpler terms as you read. Note that I use Linux to test the commands and explain to you a bit more about it with examples.You can use Keytool commands on Windows and macOS as well.
What is a Keytool Command?
It is a key and certificate management utility. It allows you to store private/public key pairs, which are usually to verify/authenticate access to services. Considering the title of this article, one can assume that the command is used mainly by system administrators and developers. For the most part, yes, but a user can get creative with the keytool command to store passphrases and secret keys for authentication, encryption, and decryption purposes. So, if you are curious, you should try it out on your system. If you are new to the concept of cryptographic keys, you might want to check out our article on data encryption before you try keytool commands. Furthermore, checking out the OpenSSL command examples can also give you some idea of how it is different and what you can do with any of them.
Create a Self-Signed Certificate
Unlike an SSL certificate that you purchase, a self-signed certificate is only used for development/testing purposes to use a secure connection. You can generate one using the keytool command syntax mentioned above. For example, here’s what it looks like: You can use any name for the alias; I use geekflare as a placeholder text. You can customize the validity and specify a password for the Keystore replacing “passforkeystore” in the command above. If you need two different passwords for your Keystore and the certificate, you might want to explicitly tell the keytool command to use another interface. You can read more about it in its official documentation. Once you proceed with the creation, it will ask for additional details for authenticity. Here’s what it should look like:
Create a Java Keystore and Key Pair
Generate a Java Keystore and Import a certificate
Ensure you have a valid certificate or have generated one earlier; once done, you can import it and generate a Java Keystore.
Generate a Key Pair to the Default Keystore With Subject
You can quickly generate a keypair (say with the name “ca”) using the following command:
Create a Chain of Signed Certificates
Suppose you have created key pairs of ca, and ca1. You can create a chain of signed certificates where ca will sign ca1 with the following commands: You can complete the chain with two more key pairs ca1 and ca2, where ca1 will sign ca2.
Importing a Certificate
If you want to import a certificate from an available file, here’s what you can do:
Create a Certificate Signing Request (CSR) for the existing Keystore
Considering you already created a Keystore, you can generate a CSR.
List Certificates Stored in Java Keystore
A keystore can have multiple entries of certificates. Assuming we are checking the list of certificates in “keystore.jks” database, here’s what we need to type in: The output for this will look like this:
Check the Contents of a Single Certificate
Considering you already have a generated certificate, you can check more about it using the following:
View Certificates in a Java Keystore
You can list all the certificates from a Keystore database. Here’s what the command looks like:
View Keystore Using an Alias and Keystore
If you want to check a Keystore using its alias name that you set when creating it, type in the following:
List Certificates in KeyStore
If you want to check the certificates stored in the default Keystore, use the command: You need to replace “passforkeystore” with the password you have set.
View Certificate Information
If you need to check the details for a single certificate, you can use its alias without specifying the keystone database. Here’s how it looks:
View Certificate in PEM Format
PEM is one of the most common formats for certificates and cryptographic keys. If you want to check a certificate with PEM, type in the following:
Change a Java Keystore Password
If you have already created a password for the Java Keystore, you can change the password using the command:
Delete a Certificate from Java Keystore
You can specify the Java Keystore and its alias to delete it. For instance:
Explore The Command and Get Help
The command has several arguments and extensions to get many things done. Depending on your use case, you may or may not need to use all of them. So, if you want to dive in deep for the command options, you can always type in: In either case, if you are using a Linux terminal, I would recommend reading the man (manual) page with this command: With the man command, you can get all the details you need about the keytool command. So, keep it your superpower to learn all you can about it!
Wrapping Up
The path of files and other customization options might be a little different from the platform you use. You can refer to Oracle’s documentation for the standardized options as well. Keytool is an excellent tool for a range of tasks. Test it out and see what you can do with it! You can also explore some Linux commands to maintain and keep the systems running optimally.