Overview#
By default keytool
will use the keystore at ~/.keystore
.
Listing Certificates#
To list certificates:
$ keytool -list -keystore keystore.p12 -storepass Secret.123
To see more details:
$ keytool -list -keystore keystore.p12 -storepass Secret.123 -v
To list user’s CA certificates:
$ keytool -list
To list system’s CA certificates:
$ keytool -list -keystore /etc/pki/java/cacerts -storepass changeit
Generating Self-Signed Certificate#
To generate self-signed RSA server certificate:
$ keytool -genkeypair \
-keystore keystore.p12 \
-storetype pkcs12 \
-storepass Secret.123 \
-alias sslserver \
-keyalg RSA \
-dname "CN=$HOSTNAME" \
-keypass Secret.123
To generate self-signed ECC server certificate:
$ keytool -genkeypair \
-keystore keystore.p12 \
-storetype pkcs12 \
-storepass Secret.123 \
-alias sslserver \
-keyalg EC \
-dname "CN=$HOSTNAME" \
-keypass Secret.123
Generating CSR#
To generate a CSR from an existing key pair:
$ keytool -certreq \
-keystore keystore.p12 \
-storepass Secret.123 \
-alias sslserver \
-file sslserver.csr
Importing CA Certificate#
To import CA certificate for the current user:
$ keytool -import -alias <nickname> -file <certificate> -trustcacerts -storepass changeit
Importing Certificate#
To import a certificate into a keystore:
$ keytool -import -keystore <keystore> -alias <nickname> -file <certificate>
To import CA certificate into trusted keystore:
$ keytool -import \
-keystore /etc/pki/java/cacerts \
-alias example \
-file example.crt
Exporting Certificates#
$ keytool -export \
-rfc \
-keystore keystore.p12 \
-storepass Secret.123 \
-alias sslserver \
-file sslserver.crt