Java Keytool is a key and certificate management utility that allows the users to cache the certificate and manage their own private or public key pairs and certificates. Java Keytool stores all the keys and certificates in a ‘Keystore’, which is, by default, implemented as a file. It contains private keys and certificates that are essential for establishing the reliability of the primary certificate and completing a chain of trust.
The ‘Java Keytool’ basically manages a keystore of cryptographic keys , X.509 certificate chain, trusted certificates. Users can use their public/private key-pairs and associated certificates for authentication/data integrity or digital signatures.
Every certificate in Java Keystore has a unique pseudonym/alias. For creating a ‘Java Keystore’, you need to first create the .jks file containing only the private key in the beginning. After that, you need to generate a Certificate Signing Request (CSR) and generate a certificate from it. After this, import the certificate to the Keystore including any root certificates.
Here are few important Java Keytool commands which can be executed on command prompt in windows
Generate Key Pair & Java Keystore
keytool -genkeypair -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate CSR for existing Java Keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
Generate a keystore and self-signed certificate
keytool -genkeypair -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Import a signed primary certificate to an existing Java keystore
keytool -importcert -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
Import a root or intermediate CA certificate to an existing Java keystore
keytool -importcert -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Check an individual certificate
keytool -printcert -v -file mydomain.crt
Check certificates in Java keystore
keytool -list -v -keystore keystore.jks
Check specific keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Delete a certificate from Java Keystore keystore
keytool -delete -alias mydomain -keystore keystore.jks
Change the password in Java keystore / Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export certificate from Java keystore
keytool -exportcert -alias mydomain -file mydomain.crt -keystore keystore.jks
List the trusted CA Certificate
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import new CA into Trusted Certs
keytool -importcert -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts