Java Keytool Keystore Commands
The Java Keytool is a command-line tool that allows you to manage cryptographic keys and certificates in a keystore. A keystore is a database that can store keys and certificates. The Keytool is commonly used for tasks like generating keys and certificates, importing/exporting keys, and certificates, and managing trust stores. In this comprehensive guide, we will explore the most common Java Keytool keystore commands.
What is Java Keytool?
The Java Keytool is included in the Java Development Kit (JDK) since JDK 1.2. It allows you to manage cryptographic keys and certificates in a keystore, which is a secure database that can store keys, certificates and other sensitive information.
The Keytool uses a provider-based architecture. This means it supports different cryptographic service providers such as OpenSSL, BouncyCastle etc. By default, it uses the Sun provider.
The Keytool executable is located in the bin directory of the JDK installation.
Some Common Uses Cases of the Keytool Include
The Keytool stores data in a keystore file. By default, this is a file named .keystore
located in the userβs home directory. But the keystore location and filename can be customized.
The Keytool uses a command line interface. You need to specify commands, options and operands to execute Keytool operations.
Now letβs look at the most common Java Keytool keystore commands.
Generating a New Keystore
The keytool -genkey
command allows you to generate a new keystore if one does not already exist.
The basic syntax is:
keytool -genkey -alias myalias -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365
This generates a new keystore called keystore.jks
with a private key entry with alias myalias. The key algorithm is RSA with 2048 bit key size and validity of 365 days.
Some important options:
You will be prompted to provide additional info like your name, organization details etc when generating the keystore.
This command is useful when you need to generate a brand new keystore to store your keys and certificates.
Generating a Public/Private Key Pair
The keytool -genkeypair
command can be used to generate a new public/private key pair and store it in the keystore.
The basic syntax is:
keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365
This generates a public/private key pair with alias myalias, RSA algorithm with 2048 bit key size, stored in keystore.jks
, valid for 365 days.
Some important parameters:
When you generate a key pair, you will be prompted to provide additional identifying information that gets incorporated into the keystore entry.
This command allows you to generate fresh public/private keys that can be used in cryptographic operations. The private key can be used to perform signing, decryption etc.
Importing a Certificate
The keytool -importcert
command allows you to import a certificate issued by a Certificate Authority into the keystore.
The basic syntax is:
keytool -importcert -alias mycert -file mycert.crt -keystore keystore.jks
This imports the certificate file mycert.crt into the keystore keystore.jks
with alias mycert
.
Some important parameters:
You can import certificates issued for your public key, or certificates of trusted CAs that you want to add to your trust store. The certificate will be stored in the keystore but the private key is required to access the certificate.
Importing a PKCS12 Keystore
The keytool -importkeystore
command allows you to import an entire PKCS12 keystore including private keys into a Java keystore (JKS).
The syntax is:
keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks -srcstoretype PKCS12
This imports the pkcs12 keystore pkcs12.p12
along with private keys into keystore.jks
.
Some parameters:
The import will require the PKCS12 file password. The entries will be imported with their original aliases and passwords.
This allows you to migrate keys and certs from PKCS12 to the Java JKS format.
Exporting a Certificate
The keytool -exportcert
command allows you to export a certificate from a keystore.
The basic syntax is:
keytool -exportcert -alias mycert -file mycert.crt -keystore keystore.jks
This exports the certificate with alias mycert from keystore.jks
to the file mycert.crt
.
Some parameters:
You will need to provide the keystore password to access the certificate.
This exports the public certificate which you can then share or submit to a Certificate Authority. But the private key is not exported.
Generating a Certificate Signing Request (CSR)
The keytool -certreq
command allows you to generate a Certificate Signing Request (CSR).
The basic syntax is:
keytool -certreq -alias myalias -file mycsr.csr -keystore keystore.jks
This generates a CSR for the key pair entry with alias myalias in keystore.jks
and saves it to the file mycsr.csr
.
Some parameters:
You will be prompted for the keystore password to access the private key for CSR generation. Provide additional info if requested.
The CSR can then be submitted to a Certificate Authority to obtain a certificate for the public key associated with the key pair.
Importing a CA Root/Intermediate Certificate
The keytool -importcert
command can be used to important a trusted root or intermediate CA certificate into the keystore.
The basic syntax is:
keytool -importcert -alias ca -file ca.crt -keystore truststore.jks
This imports the CA certificate ca.crt with alias ca into the truststore truststore.jks
.
Some parameters:
This allows you to add trusted CA certificates to your JDKβs default trust store located at $JAVA\_HOME/jre/lib/security/cacerts
.
Importing CA certificates allows for certificate chain validation and trust management when using certificates issued by that CA.
Generating a Self-Signed Certificate
The keytool -genkeypair
command can also be used to generate a self-signed certificate along with a key pair.
The basic syntax is:
keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.jks
This generates a key pair and self-signed certificate with alias myalias using RSA algorithm with 2048 bit key size that is valid for 365 days. It is stored in the keystore keystore.jks
.
Some important parameters:
When you use the keytool -genkeypair
command without specifying a -sigalg parameter, it will generate a self-signed certificate for the generated public key.
Self-signed certificates are signed with their own private key rather than being signed by a trusted CA. They can be used for testing purposes but are not trusted by default.
Generating a Secret Key
The keytool -genseckey
command allows you to generate a secret (symmetric) key and store it in the keystore.
The basic syntax is:
keytool -genseckey -alias symmetrickey -keystore keystore.jks -keyalg AES -keysize 128
This generates a [128-bit AES secret key] with alias symmetrickey and stores it in the keystore.jks
.
Some parameters:
Secret keys are used in symmetric encryption algorithms like AES, DES, RC2 etc. They should be safely stored in a keystore.
The keytool -genseckey command allows easy generation and storage of secret keys for encryption/decryption purposes.
Checking Keystore Contents
The keytool -list
command allows you to view the contents of a keystore.
The basic syntax is:
keytool -list -keystore keystore.jks
It will prompt for the keystore password and print out details of all keystore entries including certificates, key pairs, and secret keys.
This allows you to verify your keystore contents and check certificate details, aliases, expiration dates etc.
Changing Keystore Password
The keytool -storepasswd
command allows you to change the password of a keystore.
The basic syntax is:
keytool -storepasswd -keystore keystore.jks
This will prompt you to provide the old and new password for the keystore.
Some parameters:
This updates the password used to protect the keystore. Make sure to use a strong password.
Changing the keystore password periodically is a good security practice to prevent unauthorized access.
Deleting an Entry
The keytool -delete
command can be used to delete an entry from a keystore.
The basic syntax is:
keytool -delete -alias myalias -keystore keystore.jks
This deletes the entry with alias myalias from the keystore keystore.jks.
Some parameters:
You will be prompted for the keystore password to delete the entry.
This can be used to remove outdated, expired, or invalid entries from your keystore.
Converting Keystore Format
The keytool -importkeystore
command allows you to convert a keystore from one format to another.
For example:
keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks -srcstoretype PKCS12
This imports a PKCS12 keystore into a JKS keystore.
Some parameters:
This provides a convenient way to convert between different keystore formats like JKS, PKCS12, BKS etc.
Conclusion on Java Keytool Keystore Commands
The Java Keytool is an indispensable tool for managing keys and certificates in Java. It provides a robust set of commands for keystore and cryptographic key management. This article covered the most common Java Keytool Keystore commands for generating keys, importing/exporting certificates, configuring trust stores, converting keystores, and managing aliases. Mastering these most common Java Keytool Keystore commands is crucial for building secure Java applications that leverage encryption, SSL, code signing, and authentication. Using proper Keytool commands helps manage keys and certificates seamlessly across the development, testing and deployment lifecycles. The Keytool provides powerful cryptographic capabilities right out of the box in Java.
FAQs on Most Common Java Keytool Keystore Commands
1. What is a keystore in Java?
A keystore in Java is a database that can store cryptographic keys, certificates and other sensitive information. It helps manage keys/certificates used for authentication, encryption, signature verification etc. The default format is JKS but other formats like PKCS12 are also supported.
2. Where is the Java keystore located?
By default, Java applications use the .keystore
file located in the userβs home directory. But the keystore location and file can be customized via the keystore parameter in Keytool commands.
3. How to change Java keystore password?
Use the keytool -storepasswd
command to change the password of a Java keystore. You will be prompted to enter the old and new password.
4. What is a Java truststore?
A truststore is a keystore file that stores trusted certificates, generally CA certificates. It helps establish trust when validating certificate chains. The default truststore is located at $JAVA\_HOME/jre/lib/security/cacerts
.
5. How to import a certificate into Java keystore?
Use the keytool -importcert
command to import a certificate into a Java keystore. Specify the certificate file, destination keystore and alias. You may be prompted for passwords.
6. How to export a certificate from a Java keystore?
Use the keytool -exportcert
command to export a certificate from a keystore. Specify the alias to export, destination file and source keystore. Provide keystore password when prompted.
7. How to generate a CSR in Java?
Use the keytool -certreq
command to generate a Certificate Signing Request (CSR). Specify the alias for the existing key pair, destination CSR file and keystore location. Enter keystore password when prompted.
8. How to check contents of a Java keystore?
Use the keytool -list
command to view contents of a keystore. Specify the keystore location. You will be prompted for the keystore password. It prints out all keystore entries.
9. How to delete an entry from a Java keystore?
Use the keytool -delete
command to delete an entry. Specify the alias to delete and the keystore location. Enter keystore password when prompted to confirm deletion.
10. How to convert a PKCS12 file to a Java keystore?
Use the keytool -importkeystore
command. Specify the source PKCS12 keystore, destination JKS keystore and source keystore type as PKCS12. You will need to enter the source PKCS12 file password.