Keytool

From Dogtag
Jump to: navigation, search

Listing Certificates

To list certificates:

$ keytool -list -keystore keystore.p12 -storepass Secret.123

To see more details:

$ keytool -list -keystore keystore.p12 -storepass Secret.123 -v

To list CA certificates:

$ keytool -list -keystore /etc/pki/java/cacerts -storepass changeit

Generating Self-Signed Certificate

To generate self-signed RSA server certificate:

$ keytool -genkeypair \
    -keystore keystore.p12 \
    -storetype pkcs12 \
    -storepass Secret.123 \
    -alias sslserver \
    -keyalg RSA \
    -dname "CN=$HOSTNAME" \
    -keypass Secret.123

To generate self-signed ECC server certificate:

$ keytool -genkeypair \
    -keystore keystore.p12 \
    -storetype pkcs12 \
    -storepass Secret.123 \
    -alias sslserver \
    -keyalg EC \
    -dname "CN=$HOSTNAME" \
    -keypass Secret.123

Generating CSR

To generate a CSR from an existing key pair:

$ keytool -certreq \
    -keystore keystore.p12 \
    -storepass Secret.123 \
    -alias sslserver \
    -file sslserver.csr

Importing Certificate Chain

$ keytool -import -keystore <keystore> -alias <nickname> -file <certificate> -trustcacerts

Importing Certificate

To import a certificate into a keystore:

$ keytool -import -keystore <keystore> -alias <nickname> -file <certificate>

To import CA certificate into trusted keystore:

$ keytool -import \
    -keystore /etc/pki/java/cacerts \
    -alias example \
    -file example.crt

Exporting Certificates

$ keytool -export \
    -rfc \
    -keystore keystore.p12 \
    -storepass Secret.123 \
    -alias sslserver \
    -file sslserver.crt

References