Overview

By default keytool will use the keystore at ~/.keystore.

Listing Certificates

To list certificates:

$ keytool -list -keystore keystore.p12 -storepass Secret.123

To see more details:

$ keytool -list -keystore keystore.p12 -storepass Secret.123 -v

To list user’s CA certificates:

$ keytool -list

To list system’s CA certificates:

$ keytool -list -keystore /etc/pki/java/cacerts -storepass changeit

Generating Self-Signed Certificate

To generate self-signed RSA server certificate:

$ keytool -genkeypair \
    -keystore keystore.p12 \
    -storetype pkcs12 \
    -storepass Secret.123 \
    -alias sslserver \
    -keyalg RSA \
    -dname "CN=$HOSTNAME" \
    -keypass Secret.123

To generate self-signed ECC server certificate:

$ keytool -genkeypair \
    -keystore keystore.p12 \
    -storetype pkcs12 \
    -storepass Secret.123 \
    -alias sslserver \
    -keyalg EC \
    -dname "CN=$HOSTNAME" \
    -keypass Secret.123

Generating CSR

To generate a CSR from an existing key pair:

$ keytool -certreq \
    -keystore keystore.p12 \
    -storepass Secret.123 \
    -alias sslserver \
    -file sslserver.csr

Importing CA Certificate

To import CA certificate for the current user:

$ keytool -import -alias <nickname> -file <certificate> -trustcacerts -storepass changeit

Importing Certificate

To import a certificate into a keystore:

$ keytool -import -keystore <keystore> -alias <nickname> -file <certificate>

To import CA certificate into trusted keystore:

$ keytool -import \
    -keystore /etc/pki/java/cacerts \
    -alias example \
    -file example.crt

Exporting Certificates

$ keytool -export \
    -rfc \
    -keystore keystore.p12 \
    -storepass Secret.123 \
    -alias sslserver \
    -file sslserver.crt

References

• JSSE

• OpenJDK

• OpenSSL

• PKI PKCS12 CLI

• PKCS12

• The Most Common Java Keytool Keystore Commands