Keytool is a secure socket layer certification management utility included in JDK and manages Java KeyStore (JKS). JKS is a repository of security certificates, either authorization certificates or public key certificates used for instance in SSL encryption. It also allows the user to manage their own public/private key-pairs and certificates.
- You might hear alternative name called “truststore” which basically means a KeyStore but might only hold the authorization certificates or public key certificates of the well know Certificate Authority (CA).
- KeyStore can hold both private keys and public certificates
- You can export the private keys out of a KeyStore from JDK 6 and about using importkeystore (see how to do it here)
Creating a self signed certificate
$ keytool -genkey -keyalg RSA -alias mycert -keystore keystore -storepass 123456 -validity 3650 -keysize 2048 What is your first and last name? [Unknown]: Nataraj Basappa What is the name of your organizational unit? [Unknown]: Situp What is the name of your organization? [Unknown]: Sceneric Ltd What is the name of your City or Locality? [Unknown]: Newbury What is the name of your State or Province? [Unknown]: West Berkshire What is the two-letter country code for this unit? [Unknown]: GB Is CN=Nataraj Basappa, OU=Situp, O=Sceneric Ltd, L=Newbury, ST=West Berkshire, C =GB correct? [no]: yes Enter key password for <mycert> (RETURN if same as keystore password): Re-enter new password:
Above command creates a self signed certificate with 10 year validity and stores that in a keystore file named “keystore”.
Note: If you are planning to use this JKS for tomcat, make sure your certificate password and keystore password are the same.
Exporting a certificate from a KeyStore
$ keytool -export -alias mycert -file mycert.crt -keystore keystore Enter keystore password: Certificate stored in file <mycert.crt>
Note: Follow this link to import generated certificate into Windows keychain
Exporting a private key from a KeyStore
Below command exports the private key from the KeyStore and put it in a PKCS12 format. This could later be imported into a OpenSSL KeyStore if required.
$ keytool -importkeystore -srckeystore keystore.jks -destkeystore intermediate.p12 -deststoretype PKCS12