About Java keytool command
- The keytool command is a key and certificate management utility.
- The keytool command also enables users to administer secret keys and passphrases used in symmetric encryption and decryption (DES).
- The keytool command stores the keys and certificates in a Keystore
- It is located in the JRE/bin folder of the JDK installation or JRE/bin in the JRE installation
Let’s see various useful Keytool Command
How to generate the Public/Private key pair using Keytool
cd $JAVA_TOP\jre\bin keytool -genkeypair -keyalg RSA -alias <key alias> -keysize 2048 -keystore <jks location> -storepass <store password> -keypass <key password>
-genkeypair command is used to generate a key pair: UserA’s private key and UserA’s public key.
-keyalg RSA is the encryption algorithm. Beware that if you do not mention this parameter then the default encryption would be DSA which is not supported by WebLogic.
-keystore option specifies the Keystore file name to hold the key pair.
-alias key option specifies the entry name of the key pair in the Keystore file because the Keystore file can hold multiple keys and certificate entries.
-keysize 1024 option specifies the key size to be 1024 bits and 2048 specifies the key size to be 2048 bits
-storepass option specifies a password to protect the Keystore file
-keypass option specifies a password to protect key entries in the Keystore file
Example
keytool -genkeypair -keyalg RSA -alias key_test -keysize 2048 -keystore /u01/app/test.jks -storepass testjks -keypass passtest
It will ask for below things What is your first and last name? [Unknown]:<Server Name> What is the name of your organizational unit? [Unknown]:<organizational unit> What is the name of your organization? [Unknown]:<organization> What is the name of your City or Locality? [Unknown]:<city> What is the name of your State or Province? [Unknown]:<state> What is the two-letter country code for this unit? [Unknown]:<country code> Is CN=<server name>, OU=<organizational unit>, O=<organization>, L=<city>, ST=<state> , C=<country code> correct?
How to generate a CSR (Certificate Signing Request)
No, we have to generate a CSR (Certificate Signing Request) containing his public key and ask us as a CA to sign it for him
keytool -certreq -alias <key alias> -Keypass <key password> -keystore <jks location> -storepass <store password> -file <csr location>
-certreq command is used to generate a CSR (Certificate Sign Request) based on the given key pair
-alias option specifies the entry in the Keystore file where to get the key pair.
-keystore option specifies the Keystore file.
-file option specifies the file name where the CSR will be stored.
Example
keytool -certreq -alias key_test -Keypass passtest -keystore /u01/app/test.jks -storepass testjks -file /u01/app/test.csr
Now this CSR can be given to CA and obtain the signed certificate. It is required to have the root and intermediate certificate for that CA
How to Add the Certificate using keytool
(a)First import the Intermediate Certificate
keytool -importcert -alias <inter alias> -file <intermediate cert file> -keystore <jks location> -storepass <store password>
And you will get a prompt to add this to truststore, please enter Yes
Example
keytool -importcert -alias CAInter -file /u01/app/inter.cer -keystore /u01/app/test.jks -storepass testjks
(b) Now import the Root Certificate
keytool -importcert -alias CAroot -file /u01/app/root.cer -keystore /u01/app/test.jks -storepass testjks
And you will get a prompt to add this to truststore, please enter Yes
(c) Now Finally Import the key Certificate
keytool -importcert -alias <key name> -file <signed cert file> -keystore <jks location> -storepass <store password> -keypass <key password>
Example
keytool -importcert -alias key_test -file /u01/app/test.cer -keystore -keystore /u01/app/test.jks -storepass testjks -keypass passtest
This completes the Certificate creation Process
How to list the certificate in the Java Keystore
keytool -list -v -keystore <jks location> -storepass <store password>
Example
keytool -list -v -keystore /u01/app/test.jks -storepass testjks
How to Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
How to list the certificate in the Java truststore Keystore
keytool -list -v -keystore $JAVA_HOME\jre\lib\security\cacerts -storepass changeit
How to import the root/Intermediate certificate in the Java truststore Keystore
keytool -import -alias CAInter -keystore $JAVA_HOME\jre\lib\security\cacerts -trustcacerts -file /u01/app/inter.cer -storepass changeit keytool -import -alias CAroot -keystore $JAVA_HOME\jre\lib\security\cacerts -trustcacerts -file /u01/app/root.cer -storepass changeit
How to delete the Key in Keystore
keytool -delete -alias <key name> -keystore <jks location>
How to change the Java Keystore password
keytool -storepasswd -new <new storepass> -keystore <jks location>
How to change the key password
keytool -keypasswd -alias <key name> -keypass <old_keypass> -new <new keypass> -keystore <jks location> -storepass <store password>
How to change the alias of key
keytool -changealias -alias <key name> -destalias <newalias> -keypass <keypass> -keystore <jks location> -storepass <store password>
How to resolve keytool command not found error
Many times when you execute the keytool command, you get the error
keytool -list -v -keystore /u01/app/test.jks -storepass testjks Error keytool command not found
This generally happens if the correct PATH is not there in the PATH variable. Solution will be
export PATH=<JDK TOP>jre/bin:$PATH keytool -list -v -keystore /u01/app/test.jks -storepass testjks or cd <JDK TOP>jre/bin ./keytool -list -v -keystore /u01/app/test.jks -storepass testjks
Hope you like this post on Keytool Commands and it helps you in your certificate management
Also Reads
SSL in EBS R12 : Learn about setting up SSL in EBS 12.0 or 12.0 version, what all settings need to configured and how to verify the setup
TLS in EBS R12.2 : Check out How to enable TLS in EBS 12.2, how to do the various settings, and how to verify the setup
enable SSL in Oracle Weblogic : Learn about how to enable SSL in Oracle WebLogic server, how to generate the private key, how to do the settings in the console
enable/Disable JSSE in Weblogic Server: How to enable or disable JSSE in WebLogic server if you plan to use SHA256 certificate
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
