A Simple Guide on Java Keytool Keystore Commands
The Java Keytool is a command-line tool that allows you to manage cryptographic keys and certificates in a keystore. A keystore is a database that can store keys and certificates. The Keytool is commonly used for tasks like generating keys and certificates, importing/exporting keys, and certificates, and managing trust stores. In this comprehensive guide, we will explore the most common Java Keytool keystore commands.
What is Java Keytool?
The Java Keytool is included in the Java Development Kit (JDK) since JDK 1.2. It allows you to manage cryptographic keys and certificates in a keystore, which is a secure database that can store keys, certificates and other sensitive information.
The Keytool uses a provider-based architecture. This means it supports different cryptographic service providers such as OpenSSL, BouncyCastle etc. By default, it uses the Sun provider.
The Keytool executable is located in the bin directory of the JDK installation.
Some Common Uses Cases of the Keytool Include
- Generating public/private key pairs
- Importing certificates from trusted Certificate Authorities (CAs)
- Exporting certificates and presenting them to CAs for signing
- Managing trust stores and keystores
- Verifying certificate signatures and certificate chains
The Keytool stores data in a keystore file. By default, this is a file named .keystore located in the user’s home directory. But the keystore location and filename can be customized.
The Keytool uses a command line interface. You need to specify commands, options and operands to execute Keytool operations.
Now let’s look at the most common Java Keytool keystore commands.
Generating a New Keystore
The keytool -genkey command allows you to generate a new keystore if one does not already exist.
The basic syntax is:
keytool -genkey -alias myalias -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365
This generates a new keystore called keystore.jks with a private key entry with alias myalias. The key algorithm is RSA with 2048 bit key size and validity of 365 days.
Some important options:
- -alias: Specifies the alias for the key entry
- -keyalg: Specifies the key algorithm, e.g. RSA, DSA, EC
- -keysize: Specifies the size of the key in bits
- -keystore: Specifies the name and location of the keystore
- -validity: Specifies the validity period in days
You will be prompted to provide additional info like your name, organization details etc when generating the keystore.
This command is useful when you need to generate a brand new keystore to store your keys and certificates.
Generating a Public/Private Key Pair
The keytool -genkeypair command can be used to generate a new public/private key pair and store it in the keystore.
The basic syntax is:
keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365
This generates a public/private key pair with alias myalias, RSA algorithm with 2048 bit key size, stored in keystore.jks, valid for 365 days.
Some important parameters:
- -alias: Specifies the alias or name of the key pair entry
- -keyalg: Algorithm to generate the key pair (e.g. RSA, DSA, EC)
- -keysize: Size of the key pair in bits
- -keystore: Keystore location where key pair will be stored
- -validity: Validity period in days
When you generate a key pair, you will be prompted to provide additional identifying information that gets incorporated into the keystore entry.
This command allows you to generate fresh public/private keys that can be used in cryptographic operations. The private key can be used to perform signing, decryption etc.
Importing a Certificate
The keytool -importcert command allows you to import a certificate issued by a Certificate Authority into the keystore.
The basic syntax is:
keytool -importcert -alias mycert -file mycert.crt -keystore keystore.jks
This imports the certificate file mycert.crt into the keystore keystore.jks with alias mycert.
Some important parameters:
- -alias: Alias or name for the certificate entry
- -file: Certificate file to be imported, in PEM or DER format
- -keystore: Keystore location where certificate will be imported
You can import certificates issued for your public key, or certificates of trusted CAs that you want to add to your trust store. The certificate will be stored in the keystore but the private key is required to access the certificate.
Importing a PKCS12 Keystore
The keytool -importkeystore command allows you to import an entire PKCS12 keystore including private keys into a Java keystore (JKS).
The syntax is:
keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks -srcstoretype PKCS12
This imports the pkcs12 keystore pkcs12.p12 along with private keys into keystore.jks.
Some parameters:
- -srckeystore: Source PKCS12 keystore file
- -destkeystore: Destination JKS keystore location
- -srcstoretype: Set to PKCS12 for source keystore type
The import will require the PKCS12 file password. The entries will be imported with their original aliases and passwords.
This allows you to migrate keys and certs from PKCS12 to the Java JKS format.
Exporting a Certificate
The keytool -exportcert command allows you to export a certificate from a keystore.
The basic syntax is:
keytool -exportcert -alias mycert -file mycert.crt -keystore keystore.jks
This exports the certificate with alias mycert from keystore.jks to the file mycert.crt.
Some parameters:
- -alias: Alias of the certificate entry to export
- -file: File to export certificate to, in PEM or DER format
- -keystore: Keystore location to export from
You will need to provide the keystore password to access the certificate.
This exports the public certificate which you can then share or submit to a Certificate Authority. But the private key is not exported.
Generating a Certificate Signing Request (CSR)
The keytool -certreq command allows you to generate a Certificate Signing Request (CSR).
The basic syntax is:
keytool -certreq -alias myalias -file mycsr.csr -keystore keystore.jks
This generates a CSR for the key pair entry with alias myalias in keystore.jks and saves it to the file mycsr.csr.
Some parameters:
- -alias: Alias of the key pair entry for which CSR is needed
- -file: File to export CSR to, in PEM format
- -keystore: Keystore location of the key pair
You will be prompted for the keystore password to access the private key for CSR generation. Provide additional info if requested.
The CSR can then be submitted to a Certificate Authority to obtain a certificate for the public key associated with the key pair.
Importing a CA Root/Intermediate Certificate
The keytool -importcert command can be used to important a trusted root or intermediate CA certificate into the keystore.
The basic syntax is:
keytool -importcert -alias ca -file ca.crt -keystore truststore.jks
This imports the CA certificate ca.crt with alias ca into the truststore truststore.jks.
Some parameters:
- -alias: Alias for the CA certificate entry
- -file: CA certificate file to import, in PEM or DER format
- -keystore: Keystore file where the CA cert should be imported
This allows you to add trusted CA certificates to your JDK’s default trust store located at $JAVA_HOME/jre/lib/security/cacerts.
Importing CA certificates allows for certificate chain validation and trust management when using certificates issued by that CA.
Generating a Self-Signed Certificate
The keytool -genkeypair command can also be used to generate a self-signed certificate along with a key pair.
The basic syntax is:
keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.jks
This generates a key pair and self-signed certificate with alias myalias using RSA algorithm with 2048 bit key size that is valid for 365 days. It is stored in the keystore keystore.jks.
Some important parameters:
- -alias: Alias for the key pair entry
- -keyalg: Key algorithm (e.g. RSA, DSA, EC)
- -keysize: Key size in bits
- -validity: Validity period in days
- -keystore: Keystore location
When you use the keytool -genkeypair command without specifying a -sigalg parameter, it will generate a self-signed certificate for the generated public key.
Self-signed certificates are signed with their own private key rather than being signed by a trusted CA. They can be used for testing purposes but are not trusted by default.
Generating a Secret Key
The keytool -genseckey command allows you to generate a secret (symmetric) key and store it in the keystore.
The basic syntax is:
keytool -genseckey -alias symmetrickey -keystore keystore.jks -keyalg AES -keysize 128
This generates a 128-bit AES secret key with alias symmetrickey and stores it in the keystore.jks.
Some parameters:
- -alias: Alias for the secret key
- -keystore: Keystore location
- -keyalg: Symmetric key algorithm (e.g. AES, DES, RC2 etc)
- -keysize: Key size in bits
Secret keys are used in symmetric encryption algorithms like AES, DES, RC2 etc. They should be safely stored in a keystore.
The keytool -genseckey command allows easy generation and storage of secret keys for encryption/decryption purposes.
Checking Keystore Contents
The keytool -list command allows you to view the contents of a keystore.
The basic syntax is:
- -keystore: Keystore location to be checked
keytool -list -keystore keystore.jks
It will prompt for the keystore password and print out details of all keystore entries including certificates, key pairs, and secret keys.
This allows you to verify your keystore contents and check certificate details, aliases, expiration dates etc.
Changing Keystore Password
The keytool -storepasswd command allows you to change the password of a keystore.
The basic syntax is:
keytool -storepasswd -keystore keystore.jks
This will prompt you to provide the old and new password for the keystore.
Some parameters:
- -keystore: Keystore location whose password needs changing
This updates the password used to protect the keystore. Make sure to use a strong password.
Changing the keystore password periodically is a good security practice to prevent unauthorized access.
Deleting an Entry
The keytool -delete command can be used to delete an entry from a keystore.
The basic syntax is:
keytool -delete -alias myalias -keystore keystore.jks
This deletes the entry with alias myalias from the keystore keystore.jks.
Some parameters:
- -alias: Alias of the entry to delete
- -keystore: Keystore location
You will be prompted for the keystore password to delete the entry.
This can be used to remove outdated, expired, or invalid entries from your keystore.
Converting Keystore Format
The keytool -importkeystore command allows you to convert a keystore from one format to another.
For example:
keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks -srcstoretype PKCS12
This imports a PKCS12 keystore into a JKS keystore.
Some parameters:
- -srckeystore: Source keystore location
- -destkeystore: Destination keystore location
- -srcstoretype: Source keystore type
This provides a convenient way to convert between different keystore formats like JKS, PKCS12, BKS etc.
Conclusion on Java Keytool Keystore Commands
The Java Keytool is an indispensable tool for managing keys and certificates in Java. It provides a robust set of commands for keystore and cryptographic key management. This article covered the most common Java Keytool Keystore commands for generating keys, importing/exporting certificates, configuring trust stores, converting keystores, and managing aliases. Mastering these most common Java Keytool Keystore commands is crucial for building secure Java applications that leverage encryption, SSL, code signing, and authentication. Using proper Keytool commands helps manage keys and certificates seamlessly across the development, testing and deployment lifecycles. The Keytool provides powerful cryptographic capabilities right out of the box in Java.
FAQs on Most Common Java Keytool Keystore Commands
1. What is a keystore in Java?
A keystore in Java is a database that can store cryptographic keys, certificates and other sensitive information. It helps manage keys/certificates used for authentication, encryption, signature verification etc. The default format is JKS but other formats like PKCS12 are also supported.
2. Where is the Java keystore located?
By default, Java applications use the .keystore file located in the user’s home directory. But the keystore location and file can be customized via the keystore parameter in Keytool commands.
3. How to change Java keystore password?
Use the keytool -storepasswd command to change the password of a Java keystore. You will be prompted to enter the old and new password.
4. What is a Java truststore?
A truststore is a keystore file that stores trusted certificates, generally CA certificates. It helps establish trust when validating certificate chains. The default truststore is located at $JAVA_HOME/jre/lib/security/cacerts.
5. How to import a certificate into Java keystore?
Use the keytool -importcert command to import a certificate into a Java keystore. Specify the certificate file, destination keystore and alias. You may be prompted for passwords.
6. How to export a certificate from a Java keystore?
Use the keytool -exportcert command to export a certificate from a keystore. Specify the alias to export, destination file and source keystore. Provide keystore password when prompted.
7. How to generate a CSR in Java?
Use the keytool -certreq command to generate a Certificate Signing Request (CSR). Specify the alias for the existing key pair, destination CSR file and keystore location. Enter keystore password when prompted.
8. How to check contents of a Java keystore?
Use the keytool -list command to view contents of a keystore. Specify the keystore location. You will be prompted for the keystore password. It prints out all keystore entries.
9. How to delete an entry from a Java keystore?
Use the keytool -delete command to delete an entry. Specify the alias to delete and the keystore location. Enter keystore password when prompted to confirm deletion.
10. How to convert a PKCS12 file to a Java keystore?
Use the keytool -importkeystore command. Specify the source PKCS12 keystore, destination JKS keystore and source keystore type as PKCS12. You will need to enter the source PKCS12 file password.