Cheatsheet Java Keytool
Environment
- Debian 9.7 x64
- OpenJDK 12.0.1
Pre-requisite Install OpenJDK 12
Log 2019 / 06
1. Pre
root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
root@athos:~# java -version
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)
2. Generating and Importing
2.1. Generate Java Keystore and Key Pair
root@athos:~# keytool -genkey -noprompt \
-alias athos.host \
-keyalg RSA \
-keysize 2048 \
-dname "CN=athos.host, O=Zuhdi, L=Cyberjaya, S=Selangor, C=MY" \
-keystore keystore.jks \
-storepass password \
-keypass password
2.2. Generate CSR for existing Java Keystore
root@athos:~# keytool -certreq -noprompt \
-alias athos.host \
-file athos.csr \
-keystore keystore.jks \
-storepass password
2.3. Import CA Certificate (Root/Intermediate) to existing Java Keystore
root@athos:~# keytool -import -trustcacerts -noprompt \
-alias root \
-file rca.crt \
-keystore keystore.jks \
-storepass password
root@athos:~# keytool -import -trustcacerts -noprompt \
-alias intermediate \
-file ica.crt \
-keystore keystore.jks \
-storepass password
2.4. Import Signed End-Entity Certificate (Certificate Reply) to existing Java Keystore
root@athos:~# keytool -import -trustcacerts -noprompt \
-alias athos.host \
-file athos.crt \
-keystore keystore.jks \
-storepass password
2.5. Generate Java Keystore and Self-Signed Certificate
root@athos:~# keytool -genkey -noprompt \
-alias athos.host \
-keyalg RSA \
-keysize 2048 \
-dname "CN=athos.host, O=Zuhdi, L=Cyberjaya, S=Selangor, C=MY" \
-keystore keystore.jks \
-validity 360 \
-storepass password \
-keypass password
3. Print/List
3.1. Print Certificate
root@athos:~# keytool -printcert -v -file root.crt
3.2. Print/List Certificates in a Java Keystore
root@athos:~# keytool -list -v -noprompt \
-keystore keystore.jks \
-storepass password
3.3. Print Certificate in a Java Keystore using alias
root@athos:~# keytool -list -v -noprompt \
-alias athos.host \
-keystore keystore.jks \
-storepass password
4. Other
4.1. Delete a Certificate in a Java Keystore using alias
root@athos:~# keytool -delete \
-alias athos.host \
-keystore keystore.jks \
-storepass password
4.2. Change Java Keystore password
root@athos:~# keytool -storepasswd -new new_password \
-keystore keystore.jks \
-storepass password
4.3. Export Certificate from Java Keystore
root@athos:~# keytool -export -noprompt \
-alias athos.host \
-file athos.crt \
-keystore keystore.jks \
-storepass password
4.4. List Trusted CA Certificates
root@athos:~# echo $JAVA_HOME
/usr/lib/jvm/jdk-12.0.1/
root@athos:~# keytool -list -v -noprompt \
> -keystore $JAVA_HOME/lib/security/cacerts \
> -storepass changeit
4.5. Import CA Certificates into Trusted Certs
root@athos:~# keytool -import -trustcacerts -noprompt \
-alias myca_root \
-file rca.crt \
-keystore $JAVA_HOME/lib/security/cacerts \
-storepass changeit