> For the complete documentation index, see [llms.txt](https://imarslo.gitbook.io/handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://imarslo.gitbook.io/handbook/good/ssl/keystore.md). # keystore * [Keytool Options](#keytool-options) * [get cert from domain](#get-cert-from-domain) * [add crt into Java keystore](#add-crt-into-java-keystore) * [generate a certificate](#generate-a-certificate) * [create java keystore from cert file](#create-java-keystore-from-cert-file) * [append to existing java keystore](#append-to-existing-java-keystore) * [remove alias](#remove-alias) * [import an entire keystore into another keystore](#import-an-entire-keystore-into-another-keystore) * [export items to cert file](#export-items-to-cert-file) {% hint style="info" %} > references: > > * [keytool - Key and Certificate Management Tool](https://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html) > * [To Use keytool to Create a Server Certificate](https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/) > * [gencert](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=keystore-gencert) > * [importcert](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=keystore-importcert) > * [changealias](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=keystore-changealias) > * [Examples](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=keytool-examples) > * [5 Creating, Exporting, and Importing SSL Certificates](https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG178) > * [To Generate a Certificate by Using keytool](https://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html) > * [Error Importing SSL certificate : Not an X.509 Certificate](https://stackoverflow.com/a/53538542/2940319) > * [generate key and certificate using keytool](https://stackoverflow.com/a/61674251/2940319) > * [How to Creat JKS KeyStore file from existing private key and certificate](https://xacmlinfo.org/2014/06/13/how-to-keystore-creating-jks-file-from-existing-private-key-and-certificate/) > * [How to Generate a Keystore and CSR Using the Keytool Command](https://dzone.com/articles/keytool-commandutility-to-generate-a-keystorecerti) > * [The Most Common Java Keytool Keystore Commands](https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html) > * [Error unable to find valid certification path](https://discuss.elastic.co/t/error-unable-to-find-valid-certification-path/122304) > * [Java Keytool - Create Keystore](https://support.globalsign.com/digital-certificates/digital-certificate-installation/java-keytool-create-keystore) > * [ARTIFACTORY: How to Resolve an “unable to find valid certification path to requested target” Error](https://jfrog.com/knowledge-base/how-to-resolve-unable-to-find-valid-certification-path-to-requested-target-error/) > * [Working with Certificates and SSL](https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html) > {% endhint %} ### Keytool Options | KEYTOOL OPTIONS | DESCRIPTION | | :---------------: | -------------------------------------------------------------- | | `-delete` | deletes an entry from the keystore | | `-exportcert` | exports a certificate from a keystore | | `-genkeypair` | generates a key pair | | `-genseckey` | generates a secret key pair | | `-gencert` | generates a certificate from a certificate request | | `-importcert` | import a certificate or a certificate chain to keystore | | `-importpass` | imports a password | | `-importkeystore` | imports one or all entries from another keystore to a keystore | | `-keypasswd` | changes the key password of an entry in keystore | | `-list` | lists entries in a keystore | | `-printcert` | prints the content of a certificate | | `-printcertreq` | prints the content of a certificate request | | `-printcrl` | prints the content of a crl file | | `-storepasswd` | changes the store password of a keystore | ### get cert from domain ```bash $ keytool -printcert \ -rfc \ -sslserver google.com:443 > google.com.crt # or $ openssl s_client -showcerts -connect google.com:443 /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.com.crt ``` * check crt file ```bash $ openssl x509 \ -in google.com.crt \ -noout \ -text | grep "Not " Not Before: Aug 30 01:36:08 2021 GMT Not After : Nov 22 01:36:07 2021 GMT # -- or -- $ keytool -printcert \ -v \ -file google.com.crt | head Certificate[1]: Owner: CN=*.google.com Issuer: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US Serial number: 1a46a5eeaea1c2610a00000000fcefe4 Valid from: Sun Aug 29 18:36:08 PDT 2021 until: Sun Nov 21 17:36:07 PST 2021 Certificate fingerprints: MD5: 58:83:A1:72:6A:FC:96:FD:18:BF:93:57:AD:64:BE:55 SHA1: 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6 SHA256: 03:FF:12:79:0E:57:B2:90:65:37:F2:5D:EA:62:A5:36:62:C6:1E:C0:2E:58:12:10:33:66:2D:49:2B:0C:3B:D5 Signature algorithm name: SHA256withRSA ``` ### add crt into Java keystore > \[!TIP] [imarslo: get remote server certs](https://github.com/marslo/ibook/blob/marslo/docs/cheatsheet/ssl/ssl.html#get-remote-server-certs) #### generate a certificate ```bash $ keytool -genkey \ -alias google.com \ -keyalg RSA \ -keystore keystore.jks \ -keysize 2048 ``` #### create java keystore from cert file ```bash $ keytool -importcert \ -alias google.com \ -keystore google.com.jks \ -storepass changeit \ -file google.com.crt Trust this certificate? [no]: yes Certificate was added to keystore ``` {% hint style="info" %} using `-noprompt -trustcacerts` will skip manual input `yes` for `Trust this certificate` {% endhint %} * verify ```bash $ keytool -list \ [-v] \ -keystore google.com.jks \ -storepass changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry google.com, Sep 27, 2021, trustedCertEntry, Certificate fingerprint (SHA1): 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6 ``` #### append to existing java keystore ```bash $ keytool -import \ -noprompt \ -trustcacerts \ -alias google.com \ -keystore google.com.new.jks \ -file google.com.crt ``` #### remove alias ```bash # get alias $ $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep # or $ $JAVA_HOME/bin/keytool -list -cacerts | grep # or $ keytool -list -v -keystore /path/to/cacerts.jks | grep 'Alias name:' | grep -i # delete alias $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -cacerts -delete -alias # or $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -keystore /path/to/cacerts.jks -delete -alias ``` ### import an entire keystore into another keystore ```bash $ keytool -importkeystore \ -srckeystore key.jks -destkeystore NONE \ -srcstoretype JKS -deststoretype PKCS11 \ -srcstorepass \ -deststorepass ``` * import only single alias from keystore to another keystore ```bash $ keytool -importkeystore \ -srckeystore key.jks -destkeystore NONE \ -srcstoretype JKS -deststoretype PKCS11 \ -srcstorepass \ -deststorepass \ -srcalias myprivatekey -destalias myoldprivatekey \ -srckeypass \ -destkeypass \ -noprompt ``` ### export items to cert file {% hint style="info" %} > history: This command was named `-export` in previous releases. > > This old name is still supported in this release and will be supported in future releases, but for clarify the new name, `-exportcert`, is preferred going forward. > {% endhint %} ```bash $ keytool -export \ -keystore google.com.jks \ -alias google.com \ -file google.com.crt ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://imarslo.gitbook.io/handbook/good/ssl/keystore.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.