Keytool is a secure socket layer certification management utility included in JDK and manages Java KeyStore (JKS). JKS is a repository of security certificates, either authorization certificates or public key certificates used for instance in SSL encryption. It also allows the user to manage their own public/private key-pairs and certificates.
KeyStore
- You might hear alternative name called “truststore” which basically means a KeyStore but might only hold the authorization certificates or public key certificates of the well know Certificate Authority (CA).
- KeyStore can hold both private keys and public certificates
- You can export the private keys out of a KeyStore from JDK 6 and about using importkeystore (see how to do it here)
Creating a self signed certificate
$ keytool -genkey -keyalg RSA -alias mycert -keystore keystore -storepass 123456 -validity 3650 -keysize 2048
What is your first and last name?
[Unknown]: Nataraj Basappa
What is the name of your organizational unit?
[Unknown]: Situp
What is the name of your organization?
[Unknown]: Sceneric Ltd
What is the name of your City or Locality?
[Unknown]: Newbury
What is the name of your State or Province?
[Unknown]: West Berkshire
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=Nataraj Basappa, OU=Situp, O=Sceneric Ltd, L=Newbury, ST=West Berkshire, C
=GB correct?
[no]: yes
Enter key password for <mycert>
(RETURN if same as keystore password):
Re-enter new password:
Above command creates a self signed certificate with 10 year validity and stores that in a keystore file named “keystore”.
Note: If you are planning to use this JKS for tomcat, make sure your certificate password and keystore password are the same.
Exporting a certificate from a KeyStore
$ keytool -export -alias mycert -file mycert.crt -keystore keystore
Enter keystore password:
Certificate stored in file <mycert.crt>
Note: Follow this link to import generated certificate into Windows keychain
Exporting a private key from a KeyStore
Below command exports the private key from the KeyStore and put it in a PKCS12 format. This could later be imported into a OpenSSL KeyStore if required.
$ keytool -importkeystore -srckeystore keystore.jks -destkeystore intermediate.p12 -deststoretype PKCS12