Java Keytool

The keytool command is a key and certificate management utility.

KeyStore vs TrustStore

We use keystore and truststore when our application need to use SSL/TLS. The default format for keystore and truststore is JKS until Java 8. Starting with Java 9, the default format is now PKCS12, which is language-neutral way to store encrypted private keys and certificates.

A Java Keystore stores private keys, certificates with public keys used for SSL/TLS.

Truststore is the opposite of keystore. It stores certificates that identifies others.

Java has a default truststore with path $JAVA_HOME/jre/lib/security/cacerts. The initial password for cacerts is changeit. (notice it doesn’t have a .jks or .pkcs12 extension)

Generate KeyStore and Keypair

To generate a keystore and keypair. You need to provide information here. the keystore and domain both require password.

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

This will generate keystore.jks file. its alias is ‘mydomain’.

use keytool -list command to view keystore entry. or use keytool -list -v for verbose output. You will be prompted for the keystore password.

$ keytool -list -keystore keystore.jks 
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

mydomain, May 20, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 09:C2:19:B6:54:5C:A8:F2:4A:ED:24:A2:3C:04:71:32:E8:B7:94:57

Generate CSR from KeyStore

To generate a Certificate Signing Request(CSR) for an existing Java keystore. You will be prompted for the keystore password.

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

This will generate mydomain.csr

Create a self-signed Certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore selfsigned.jks -validity 360 -keysize 2048

This will generate selfsigned.jks. use keytool -list to view the certificate

Export the certificate. you will be prompted for the keystore password. This will generate the certificate in DER encoded format.

keytool -exportcert -alias selfsigned -file selfsigned.der -keystore selfsigned.jks 

To convert DER to PEM

openssl x509 -inform der -in selfsigned.der -out selfsigned.crt

Import a Certificate to TrustStore

To import a CA or intermedia certificate to an existing java trusted keystore.

$ cd $JAVA_HOME
$ keytool -import -trustcacerts -alias somealias -file <certificate file>.crt -keystore  jre/lib/security/cacerts -storepass changeit

You will be prompted for the keystore password

To Examine Default TrustStore at $JAVA_HOME/jre/lib/security/cacerts.

$ cd $JAVA_HOME/jre/lib/security

$ keytool -list -keystore cacerts
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 134 entries

debian:affirmtrust_premium_ecc.pem, Dec 15, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB

You can see here there are 134 trusted certificates.

Reference

• Java Keytool Oracle Document
• The Most Common Java Keytool Keystore Commands
• Difference Between a Java Keystore and a Truststore by Denis Szczukocki
• A Simple Guide on Java Keytool Keystore Commands
• Java Keytool Essentials: Working with Java Keystores by Mitchell Anicas