Keytool is a command-line utility that lets you manage/store cryptographic keys and certificates.

If your system has Java installed, you can use the keytool command to import a CA certificate, list certificates, create self-signed certificates, store passphrases and public/private keys, and do many more things. 

Confused? Fret not; I will explain it in simpler terms as you read.

Note that I use Linux to test the commands and explain to you a bit more about it with examples.

You can use Keytool commands on Windows and macOS as well.

What is a Keytool Command?

It is a key and certificate management utility. It allows you to store private/public key pairs, which are usually to verify/authenticate access to services.

Considering the title of this article, one can assume that the command is used mainly by system administrators and developers.

For the most part, yes, but a user can get creative with the keytool command to store passphrases and secret keys for authentication, encryption, and decryption purposes. So, if you are curious, you should try it out on your system.

If you are new to the concept of cryptographic keys, you might want to check out our article on data encryption before you try keytool commands.

Furthermore, checking out the OpenSSL command examples can also give you some idea of how it is different and what you can do with any of them.

Create a Self-Signed Certificate

keytool -genkeypair -alias <alias> -keypass <keypass> -validity <validity> -storepass <storepass>

Unlike an SSL certificate that you purchase, a self-signed certificate is only used for development/testing purposes to use a secure connection.

You can generate one using the keytool command syntax mentioned above. For example, here’s what it looks like:

keytool -genkeypair -alias geekflare -keypass passforkeystore -validity 365 -storepass passforkeystore

You can use any name for the alias; I use geekflare as a placeholder text. You can customize the validity and specify a password for the Keystore replacing “passforkeystore” in the command above.

Note that only one password is supported for PKCS12 KeyStores. However, it is a convenient Keystore type that is not Java-specific.

If you need two different passwords for your Keystore and the certificate, you might want to explicitly tell the keytool command to use another interface.

You can read more about it in its official documentation.

Once you proceed with the creation, it will ask for additional details for authenticity. Here’s what it should look like:

What is your first and last name?
  [Unknown]:  Ankush
What is the name of your organizational unit?
  [Unknown]:  Geekflare
What is the name of your organization?
  [Unknown]:  Geekflare
What is the name of your City or Locality?
  [Unknown]:  Bhubaneswar
What is the name of your State or Province?
  [Unknown]:  Odisha
What is the two-letter country code for this unit?
  [Unknown]:  91
Is CN=Ankush, OU=Geekflare, O=Geekflare, L=Bhubaneswar, ST=Odisha, C=91 correct?
  [no]:  yes

Create a Java Keystore and Key Pair

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias geekflarejava -validity 3650

Generate a Java Keystore and Import a certificate

Ensure you have a valid certificate or have generated one earlier; once done, you can import it and generate a Java Keystore.

keytool -importcert -file test.crt -keystore truststore.jks -alias geekflare

Generate a Key Pair to the Default Keystore With Subject

You can quickly generate a keypair (say with the name “ca”) using the following command:

keytool -alias ca -dname CN=CA -genkeypair

Create a Chain of Signed Certificates

Suppose you have created key pairs of ca, and ca1. You can create a chain of signed certificates where ca will sign ca1 with the following commands:

keytool -alias ca1 -certreq
keytool -alias ca -gencert -ext san=dns:ca1
keytool -alias ca1 -importcert

You can complete the chain with two more key pairs ca1 and ca2, where ca1 will sign ca2.

Importing a Certificate

If you want to import a certificate from an available file, here’s what you can do:

keystool -import -alias geekflare -file geekflareserver.cer

Create a Certificate Signing Request (CSR) for the existing Keystore

Considering you already created a Keystore, you can generate a CSR.

keytool -certreq -keyalg rsa -keystore keystore.jks -alias server -file geekflare.csr

List Certificates Stored in Java Keystore

A keystore can have multiple entries of certificates. Assuming we are checking the list of certificates in “keystore.jks” database, here’s what we need to type in:

keytool -v -list -keystore keystore.jks

The output for this will look like this:

keytool -v -list -keystore keystore.jks
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: geekflarecert
Creation date: 16-Nov-2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=Ankush, OU=Geek, O=Geekflare, L=Bhubaneswar, ST=od, C=91
Issuer: CN=Ankush, OU=Geek, O=Geekflare, L=Bhubaneswar, ST=od, C=91
Serial number: a0b9a99
Valid from: Wed Nov 16 09:42:37 IST 2022 until: Sat Nov 13 09:42:37 IST 2032
Certificate fingerprints:
	 SHA1: 23:7C:65:A7:A6:84:18:F8:45:04:92:DF:D4:BB:0F:91:6D:A5:C5:BE
	 SHA256: C0:25:ED:B8:CF:1A:E6:E1:C5:75:A8:10:8F:CD:BE:42:26:96:9C:9A:FA:74:65:07:71:06:9A:2C:F5:80:FE:7F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Check the Contents of a Single Certificate

Considering you already have a generated certificate, you can check more about it using the following:

keytool -v -printcert -file server.crt

View Certificates in a Java Keystore

You can list all the certificates from a Keystore database. Here’s what the command looks like:

keytool -v -list -keystore keystore.jks

View Keystore Using an Alias and Keystore

If you want to check a Keystore using its alias name that you set when creating it, type in the following:

keytool -v -list -keystore keystore.jks -alias geekflareserver

List Certificates in KeyStore

If you want to check the certificates stored in the default Keystore, use the command:

keytool -list -storepass passforkeystore

You need to replace “passforkeystore” with the password you have set.

View Certificate Information

If you need to check the details for a single certificate, you can use its alias without specifying the keystone database.

Here’s how it looks:

keytool -list -v -alias geekflare -storepass passforkeystore

View Certificate in PEM Format

PEM is one of the most common formats for certificates and cryptographic keys. If you want to check a certificate with PEM, type in the following:

keytool -v -printcert -file geekflare.crt -rfc

Change a Java Keystore Password

If you have already created a password for the Java Keystore, you can change the password using the command:

keytool -delete -alias geekflare -keystore keystore.jks

Delete a Certificate from Java Keystore

You can specify the Java Keystore and its alias to delete it. For instance:

keytool -delete -alias geekflare -keystore keystore.jks

Explore The Command and Get Help

The command has several arguments and extensions to get many things done. Depending on your use case, you may or may not need to use all of them.

So, if you want to dive in deep for the command options, you can always type in:

keytool -help

In either case, if you are using a Linux terminal, I would recommend reading the man (manual) page with this command:

man keytool

With the man command, you can get all the details you need about the keytool command.

So, keep it your superpower to learn all you can about it!

Wrapping Up

The path of files and other customization options might be a little different from the platform you use. You can refer to Oracle’s documentation for the standardized options as well.

Keytool is an excellent tool for a range of tasks. Test it out and see what you can do with it!

You can also explore some Linux commands to maintain and keep the systems running optimally.