cheatsheet java keytool | zuhdi.org

Cheatsheet Java Keytool

Environment

  • Debian 9.7 x64
  • OpenJDK 12.0.1

Pre-requisite Install OpenJDK 12

Log 2019 / 06

1. Pre

root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

root@athos:~# java -version
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)

2. Generating and Importing

2.1. Generate Java Keystore and Key Pair

root@athos:~# keytool -genkey -noprompt \
  -alias athos.host \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=athos.host, O=Zuhdi, L=Cyberjaya, S=Selangor, C=MY" \
  -keystore keystore.jks \
  -storepass password \
  -keypass password

2.2. Generate CSR for existing Java Keystore

root@athos:~# keytool -certreq -noprompt \
  -alias athos.host \
  -file athos.csr \
  -keystore keystore.jks \
  -storepass password

2.3. Import CA Certificate (Root/Intermediate) to existing Java Keystore

root@athos:~# keytool -import -trustcacerts -noprompt \
  -alias root \
  -file rca.crt \
  -keystore keystore.jks \
  -storepass password

root@athos:~# keytool -import -trustcacerts -noprompt \
  -alias intermediate \
  -file ica.crt \
  -keystore keystore.jks \
  -storepass password

2.4. Import Signed End-Entity Certificate (Certificate Reply) to existing Java Keystore

root@athos:~# keytool -import -trustcacerts -noprompt \
  -alias athos.host \
  -file athos.crt \
  -keystore keystore.jks \
  -storepass password

2.5. Generate Java Keystore and Self-Signed Certificate

root@athos:~# keytool -genkey -noprompt \
  -alias athos.host \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=athos.host, O=Zuhdi, L=Cyberjaya, S=Selangor, C=MY" \
  -keystore keystore.jks \
  -validity 360 \
  -storepass password \
  -keypass password

3. Print/List

3.1. Print Certificate

root@athos:~# keytool -printcert -v -file root.crt

3.2. Print/List Certificates in a Java Keystore

root@athos:~# keytool -list -v -noprompt \
  -keystore keystore.jks \
  -storepass password

3.3. Print Certificate in a Java Keystore using alias

root@athos:~# keytool -list -v -noprompt \
  -alias athos.host \
  -keystore keystore.jks \
  -storepass password

4. Other

4.1. Delete a Certificate in a Java Keystore using alias

root@athos:~# keytool -delete \
  -alias athos.host \
  -keystore keystore.jks \
  -storepass password

4.2. Change Java Keystore password

root@athos:~# keytool -storepasswd -new new_password \
  -keystore keystore.jks \
  -storepass password

4.3. Export Certificate from Java Keystore

root@athos:~# keytool -export -noprompt \
  -alias athos.host \
  -file athos.crt \
  -keystore keystore.jks \
  -storepass password

4.4. List Trusted CA Certificates

root@athos:~# echo $JAVA_HOME
/usr/lib/jvm/jdk-12.0.1/

root@athos:~# keytool -list -v -noprompt \
>   -keystore $JAVA_HOME/lib/security/cacerts \
>   -storepass changeit

4.5. Import CA Certificates into Trusted Certs

root@athos:~# keytool -import -trustcacerts -noprompt \
  -alias myca_root \
  -file rca.crt \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit

Hugo. Malte Kiefer & Zuhdi Najib.