keystore
Keytool Options
-delete
deletes an entry from the keystore
-exportcert
exports a certificate from a keystore
-genkeypair
generates a key pair
-genseckey
generates a secret key pair
-gencert
generates a certificate from a certificate request
-importcert
import a certificate or a certificate chain to keystore
-importpass
imports a password
-importkeystore
imports one or all entries from another keystore to a keystore
-keypasswd
changes the key password of an entry in keystore
-list
lists entries in a keystore
-printcert
prints the content of a certificate
-printcertreq
prints the content of a certificate request
-printcrl
prints the content of a crl file
-storepasswd
changes the store password of a keystore
get cert from domain
$ keytool -printcert \
-rfc \
-sslserver google.com:443 > google.com.crt
# or
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.com.crt
check crt file
$ openssl x509 \ -in google.com.crt \ -noout \ -text | grep "Not " Not Before: Aug 30 01:36:08 2021 GMT Not After : Nov 22 01:36:07 2021 GMT # -- or -- $ keytool -printcert \ -v \ -file google.com.crt | head Certificate[1]: Owner: CN=*.google.com Issuer: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US Serial number: 1a46a5eeaea1c2610a00000000fcefe4 Valid from: Sun Aug 29 18:36:08 PDT 2021 until: Sun Nov 21 17:36:07 PST 2021 Certificate fingerprints: MD5: 58:83:A1:72:6A:FC:96:FD:18:BF:93:57:AD:64:BE:55 SHA1: 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6 SHA256: 03:FF:12:79:0E:57:B2:90:65:37:F2:5D:EA:62:A5:36:62:C6:1E:C0:2E:58:12:10:33:66:2D:49:2B:0C:3B:D5 Signature algorithm name: SHA256withRSA
add crt into Java keystore
generate a certificate
$ keytool -genkey \
-alias google.com \
-keyalg RSA \
-keystore keystore.jks \
-keysize 2048
create java keystore from cert file
$ keytool -importcert \
-alias google.com \
-keystore google.com.jks \
-storepass changeit \
-file google.com.crt
Trust this certificate? [no]: yes
Certificate was added to keystore
verify
$ keytool -list \ [-v] \ -keystore google.com.jks \ -storepass changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry google.com, Sep 27, 2021, trustedCertEntry, Certificate fingerprint (SHA1): 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6
append to existing java keystore
$ keytool -import \
-noprompt \
-trustcacerts \
-alias google.com \
-keystore google.com.new.jks \
-file google.com.crt
remove alias
# get alias
$ $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep <alias.name>
# or
$ $JAVA_HOME/bin/keytool -list -cacerts | grep <alias.name>
# or
$ keytool -list -v -keystore /path/to/cacerts.jks | grep 'Alias name:' | grep -i <alias.name>
# delete alias
$ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -cacerts -delete -alias <the-alias-name>
# or
$ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -keystore /path/to/cacerts.jks -delete -alias <the-alias-name>
import an entire keystore into another keystore
$ keytool -importkeystore \
-srckeystore key.jks -destkeystore NONE \
-srcstoretype JKS -deststoretype PKCS11 \
-srcstorepass <source keystore password> \
-deststorepass <destination keystore password>
import only single alias from keystore to another keystore
$ keytool -importkeystore \ -srckeystore key.jks -destkeystore NONE \ -srcstoretype JKS -deststoretype PKCS11 \ -srcstorepass <source keystore password> \ -deststorepass <destination keystore password> \ -srcalias myprivatekey -destalias myoldprivatekey \ -srckeypass <source entry password> \ -destkeypass <destination entry password> \ -noprompt
export items to cert file
$ keytool -export \
-keystore google.com.jks \
-alias google.com \
-file google.com.crt
Last updated
Was this helpful?