My Java Keytool cheat sheet

Posted by on November 18, 2019 
# List all entries in a JKS
keytool -list -keystore mykeystore.jks -storepass changeit

# List all entries in a PKCS12
keytool -list -keystore mykeystore.jks -storepass changeit -storetype pkcs12

# List detailed information about all entries in a JKS
keytool -list -v -keystore mykeystore.jks -storepass changeit

# Rename an alias in a JKS
keytool -changealias -alias "client01" -destalias "client02" -keystore mykeystore.jks -storepass changeit

# Remove an alias in a JKS
keytool -delete -alias "client01" -keystore mykeystore.jks -storepass changeit

# Create a JKS with a self-signed certificate
keytool -genkey -keyalg RSA -alias client01 -keystore mykeystore.jks -storepass changeit -validity 365 -keysize 2048

# Create a JKS and import certificate from file (if keystore does not exist it will be created)
keytool -keystore mykeystore.jks -storepass changeit -import -file mycertfile.crt

# Import a certificate to trust to a jks
keytool -import -alias server01 -file server01.crt -keystore mykeystore.jks

# Change JKS keystore password
keytool -storepasswd -keystore mykeystore.jks

# Change a JKS key's password:
keytool -keypasswd  -alias <key_name> -keystore mykeystore.jks

# Extract certificate from a jks keystore
keytool -export -keystore mykeystore.jks -alias client01 -file client01.crt

# Convert a PKCS12 (p12) certificate to JKS
keytool -importkeystore  
  -srckeystore mysourcekeystore.p12 
  -destkeystore mydestkeystore.jks 
  -srcstoretype PKCS12 
  -deststoretype JKS 
  -srcstorepass mysourcepassword 
  -deststorepass mydestpassword 
  -srcalias mysourcecertalias 
  -destalias mydetscertalias 
  -srckeypass mysourcekeypassword 
  -destkeypass mydestkeypassword

# Convert a JKS keystore to a PKCS12 keystore
keytool -importkeystore 
  -srckeystore mykeystore.jks 
  -destkeystore mykeystore.p12
  -deststoretype pkcs12 

# Generate a self-signed certificate and put it into a JKS (valid for 720 days)
keytool -genkey 
  -keyalg RSA 
  -alias server 
  -keystore selfsigned.jks 
  -validity 720 
  -keysize 2048

Tested on Red Hat 7 and Java 8
Cheat sheets, Java

Comments are closed.