keytool

Create a keystore

$ keytool -genkeypair -v -keystore [path/to/file.keystore] -alias [key_name]

$ keytool -storepasswd -keystore [path/to/file.keystore]

$ keytool -keypasswd -alias [key_name] -keystore [path/to/file.keystore]

keytool - [arguments]

Examples:
keytool -genkeypair -alias mycert -keystore mykeystore.jks
keytool -importcert -file server.crt -alias server_cert -keystore mykeystore.jks
keytool -list -keystore mykeystore.jks

-genkeypair
    Generates a public/private key pair and wraps the public key into an X.509 v3 self-signed certificate. Stores both in the keystore as a single entry.

-importcert
    Imports a certificate or certificate chain from a file into the keystore. Can be used for root CAs or server certificates.

-exportcert
    Exports a certificate from the keystore into a file, typically for sharing or backup purposes.

-list
    Lists entries (key pairs and trusted certificates) in a keystore. Use -v for verbose output.

-delete
    Deletes an entry identified by its alias from the keystore.

-changealias
    Changes the alias of an existing entry in the keystore.

-keypasswd
    Changes the password for a private key within the keystore. Note that this is different from the keystore's overall password.

-storepasswd
    Changes the password used to protect the integrity of the entire keystore.

-printcert
    Reads and prints the contents of a certificate file (e.g., .cer, .crt) without importing it into a keystore.

-keystore <path>
    Specifies the path to the keystore file to be used. If not specified, defaults to ${user.home}/.keystore.

-storepass <password>
    Specifies the password for accessing the keystore. It's best practice to omit this and be prompted for security.

-alias <name>
    Specifies the alias (a unique name) of the entry within the keystore to operate on.

-file <path>
    Specifies the input or output file for certificate operations (e.g., for import or export).

-dname <name>
    Specifies the Distinguished Name (DN) for the subject of a certificate when generating a new key pair (e.g., 'CN=MyName, OU=MyOrgUnit, O=MyOrg, L=MyCity, ST=MyState, C=MyCountry').

-keyalg <algorithm>
    Specifies the algorithm to use for key pair generation (e.g., RSA, DSA, EC).

-keysize <size>
    Specifies the size of the generated key in bits (e.g., 2048, 4096 for RSA).

-validity <days>
    Specifies the validity period in days for self-signed certificates. Defaults to 90 days.

-storetype <type>
    Specifies the type of keystore (e.g., JKS, PKCS12). PKCS12 is often recommended for interoperability.

-v
    Enables verbose output, providing more detailed information during operations.

The keytool command is a Java utility used to manage keystores, which are repositories for cryptographic keys (private keys, public keys, secret keys) and X.509 certificate chains. It is an essential component of the Java Development Kit (JDK) and plays a crucial role in enabling secure communication (e.g., SSL/TLS), code signing, and authentication for Java applications.

keytool allows users to perform various operations such as generating key pairs, importing and exporting certificates, listing the contents of a keystore, changing passwords, and deleting entries. It supports different keystore formats, most commonly JKS (Java KeyStore) and PKCS12.

keytool operations require careful handling of passwords and file permissions to maintain security. Mismanagement of keystore files or forgotten passwords can lead to inaccessible keys or security vulnerabilities. The command's complexity, owing to numerous options and specific argument formats, necessitates precise syntax for correct execution. Ensure a compatible Java Development Kit (JDK) is installed and configured in your system's PATH environment variable for keytool to be found.

keytool primarily supports two keystore types: JKS (Java KeyStore), which was the default and Java-specific, and PKCS12, an industry-standard format recommended for its interoperability with other security tools and systems (e.g., OpenSSL, web browsers). When creating a new keystore, it's generally advised to use the -storetype PKCS12 option for broader compatibility and future-proofing.

The Distinguished Name is a unique identifier for an entity (e.g., a server, an individual, an organization) in an X.509 certificate. It's composed of a sequence of attribute-value pairs, such as Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State (ST), and Country (C). When generating a key pair with keytool, you will typically be prompted to provide these details to form the DN of the self-signed certificate's subject.

keytool has been an integral part of the Java Development Kit (JDK) since its early versions (roughly JDK 1.2 or 1.3), developed by Sun Microsystems (now Oracle). It was created to provide a native Java utility for managing cryptographic keys and certificates, thereby supporting secure coding practices and network communication directly within the Java ecosystem. Its development has mirrored the evolution of Java's security architecture, consistently serving as the primary command-line interface for keystore management and certificate operations in Java environments.

openssl(1), java(1), jar(1)