keystore

Keytool Options

KEYTOOL OPTIONSDESCRIPTION

-delete

Deletes an entry from the Keystore

-exportcert

Exports a certificate from a Keystore

-genkeypair

Generates a key pair

-genseckey

Generates a secret key pair

-gencert

Generates a certificate from a certificate request

-importcert

Import a certificate or a certificate chain to keystore

-importpass

Imports a password

-importkeystore

Imports one or all entries from another keystore to a keystore

-keypasswd

Changes the key password of an entry in keystore

-list

Lists entries in a keystore

-printcert

Prints the content of a certificate

-printcertreq

Prints the content of a certificate request

-printcrl

Prints the content of a CRL file

-storepasswd

Changes the store password of a keystore

get cert from domain

$ keytool -printcert \
          -rfc \
          -sslserver google.com:443 > google.com.crt
# or
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
          sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.com.crt
  • check crt file

    $ openssl x509 \
              -in google.com.crt \
              -noout \
              -text |
              grep "Not "
                Not Before: Aug 30 01:36:08 2021 GMT
                Not After : Nov 22 01:36:07 2021 GMT

    or

    $ keytool -printcert \
              -v \
              -file google.com.crt |
              head
    Certificate[1]:
    Owner: CN=*.google.com
    Issuer: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US
    Serial number: 1a46a5eeaea1c2610a00000000fcefe4
    Valid from: Sun Aug 29 18:36:08 PDT 2021 until: Sun Nov 21 17:36:07 PST 2021
    Certificate fingerprints:
       MD5:  58:83:A1:72:6A:FC:96:FD:18:BF:93:57:AD:64:BE:55
       SHA1: 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6
       SHA256: 03:FF:12:79:0E:57:B2:90:65:37:F2:5D:EA:62:A5:36:62:C6:1E:C0:2E:58:12:10:33:66:2D:49:2B:0C:3B:D5
    Signature algorithm name: SHA256withRSA

add crt into Java keystore

[!TIP] imarslo: get remote server certs

generate a certificate

$ keytool -genkey \
          -alias google.com \
          -keyalg RSA \
          -keystore keystore.jks \
          -keysize 2048

create java keystore from cert file

$ keytool -importcert \
          -alias google.com \
          -keystore google.com.jks \
          -storepass changeit \
          -file google.com.crt

Trust this certificate? [no]:  yes
Certificate was added to keystore

using -noprompt -trustcacerts will skip manual input yes for Trust this certificate

  • verify

    $ keytool -list \
              [-v] \
              -keystore google.com.jks \
              -storepass changeit
    Keystore type: jks
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    google.com, Sep 27, 2021, trustedCertEntry,
    Certificate fingerprint (SHA1): 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6

append to existing java keystore

$ keytool -import \
          -noprompt \
          -trustcacerts \
          -alias google.com \
          -keystore google.com.new.jks \
          -file google.com.crt

import an entire keystore into another keystore

$ keytool -importkeystore                          \
          -srckeystore key.jks -destkeystore NONE  \
          -srcstoretype JKS -deststoretype PKCS11  \
          -srcstorepass <source keystore password> \
          -deststorepass <destination keystore password>
  • import only single alias from keystore to another keystore

    $ keytool -importkeystore                                   \
              -srckeystore key.jks -destkeystore NONE           \
              -srcstoretype JKS -deststoretype PKCS11           \
              -srcstorepass <source keystore password>          \
              -deststorepass <destination keystore password>    \
              -srcalias myprivatekey -destalias myoldprivatekey \
              -srckeypass <source entry password>               \
              -destkeypass <destination entry password>         \
              -noprompt

export items to cert file

history: This command was named -export in previous releases.

This old name is still supported in this release and will be supported in future releases, but for clarify the new name, -exportcert, is preferred going forward.

$ keytool -export \
          -keystore google.com.jks \
          -alias google.com \
          -file google.com.crt

Last updated