keystore

• Keytool Options

• get cert from domain

• add crt into Java keystore

  • generate a certificate

  • create java keystore from cert file

  • append to existing java keystore

  • remove alias

• import an entire keystore into another keystore

• export items to cert file

references:

• keytool - Key and Certificate Management Tool

• To Use keytool to Create a Server Certificate

  • gencert

  • importcert

  • changealias

  • Examples

• 5 Creating, Exporting, and Importing SSL Certificates

• To Generate a Certificate by Using keytool

• Error Importing SSL certificate : Not an X.509 Certificate

• generate key and certificate using keytool

• How to Creat JKS KeyStore file from existing private key and certificate

• How to Generate a Keystore and CSR Using the Keytool Command

• The Most Common Java Keytool Keystore Commands

• Error unable to find valid certification path

• Java Keytool - Create Keystore

• ARTIFACTORY: How to Resolve an “unable to find valid certification path to requested target” Error

• Working with Certificates and SSL

Keytool Options

KEYTOOL OPTIONS	DESCRIPTION
-delete	deletes an entry from the keystore
-exportcert	exports a certificate from a keystore
-genkeypair	generates a key pair
-genseckey	generates a secret key pair
-gencert	generates a certificate from a certificate request
-importcert	import a certificate or a certificate chain to keystore
-importpass	imports a password
-importkeystore	imports one or all entries from another keystore to a keystore
-keypasswd	changes the key password of an entry in keystore
-list	lists entries in a keystore
-printcert	prints the content of a certificate
-printcertreq	prints the content of a certificate request
-printcrl	prints the content of a crl file
-storepasswd	changes the store password of a keystore

get cert from domain

$ keytool -printcert \
          -rfc \
          -sslserver google.com:443 > google.com.crt
# or
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
          sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.com.crt

• check crt file

  $ openssl x509 \
            -in google.com.crt \
            -noout \
            -text |
            grep "Not "
              Not Before: Aug 30 01:36:08 2021 GMT
              Not After : Nov 22 01:36:07 2021 GMT
  
  # -- or --
  $ keytool -printcert \
            -v \
            -file google.com.crt |
            head
  Certificate[1]:
  Owner: CN=*.google.com
  Issuer: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US
  Serial number: 1a46a5eeaea1c2610a00000000fcefe4
  Valid from: Sun Aug 29 18:36:08 PDT 2021 until: Sun Nov 21 17:36:07 PST 2021
  Certificate fingerprints:
     MD5:  58:83:A1:72:6A:FC:96:FD:18:BF:93:57:AD:64:BE:55
     SHA1: 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6
     SHA256: 03:FF:12:79:0E:57:B2:90:65:37:F2:5D:EA:62:A5:36:62:C6:1E:C0:2E:58:12:10:33:66:2D:49:2B:0C:3B:D5
  Signature algorithm name: SHA256withRSA

add crt into Java keystore

[!TIP] imarslo: get remote server certs

generate a certificate

$ keytool -genkey \
          -alias google.com \
          -keyalg RSA \
          -keystore keystore.jks \
          -keysize 2048

create java keystore from cert file

$ keytool -importcert \
          -alias google.com \
          -keystore google.com.jks \
          -storepass changeit \
          -file google.com.crt

Trust this certificate? [no]:  yes
Certificate was added to keystore

using -noprompt -trustcacerts will skip manual input yes for Trust this certificate

• verify

  $ keytool -list \
            [-v] \
            -keystore google.com.jks \
            -storepass changeit
  Keystore type: jks
  Keystore provider: SUN
  
  Your keystore contains 1 entry
  
  google.com, Sep 27, 2021, trustedCertEntry,
  Certificate fingerprint (SHA1): 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6

append to existing java keystore

$ keytool -import \
          -noprompt \
          -trustcacerts \
          -alias google.com \
          -keystore google.com.new.jks \
          -file google.com.crt

remove alias

# get alias
$ $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep <alias.name>
# or
$ $JAVA_HOME/bin/keytool -list -cacerts | grep <alias.name>
# or
$ keytool -list -v -keystore /path/to/cacerts.jks | grep 'Alias name:' | grep -i <alias.name>

# delete alias
$ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -cacerts -delete -alias <the-alias-name>
# or
$ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -keystore /path/to/cacerts.jks -delete -alias <the-alias-name>

import an entire keystore into another keystore

$ keytool -importkeystore                          \
          -srckeystore key.jks -destkeystore NONE  \
          -srcstoretype JKS -deststoretype PKCS11  \
          -srcstorepass <source keystore password> \
          -deststorepass <destination keystore password>

• import only single alias from keystore to another keystore

  $ keytool -importkeystore                                   \
            -srckeystore key.jks -destkeystore NONE           \
            -srcstoretype JKS -deststoretype PKCS11           \
            -srcstorepass <source keystore password>          \
            -deststorepass <destination keystore password>    \
            -srcalias myprivatekey -destalias myoldprivatekey \
            -srckeypass <source entry password>               \
            -destkeypass <destination entry password>         \
            -noprompt

export items to cert file

history: This command was named -export in previous releases.

This old name is still supported in this release and will be supported in future releases, but for clarify the new name, -exportcert, is preferred going forward.

$ keytool -export \
          -keystore google.com.jks \
          -alias google.com \
          -file google.com.crt