Java Keytool#

NOTE: the Keystore password is used to verify keystore integrity, not confidentiality. When you access the keystore using the intended passphrase, the result output will indicate whether the store has been tampered with on the basis of that passphrase, but it will still provide the requested info.

When creating a new keystore with '-genkey', you are choosing to incorporate a private key into your keystore. In this case you will first be prompted for the keystore password, and then later, after you have provided the key attributes, you will be prompted for the private key password -- and it will offer to use the same password as the one you have already provided for the keystore. Since most people accept this default behavior, confusion may arise when using the key regarding for which purpose one is being asked for a password.

Generate certificate keystore with subject alternative name attributes:

keytool -genkey -alias -keyalg RSA -keysize 2048 -keystore fubar1.jks -ext,dns:fubar1,dns:FUBAR1.A.COM,dns:FUBAR1
#NOTE must use the same -ext attribute when generating the CSR.

Export a the certificate from a keystore in Base64-encoded format (pem)

keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file

Export the key from a JKS keystore to a pkcs12 file

keytool -importkeystore -srckeystore source.jks -destkeystore desk.pkcs -srcstoretype JKS -deststoretype PKCS12

Create a new keytool-based truststore:

#import the certs as follows, command will wait for you to paste cert (standard input)
#-AND- it will also ask you to set a password the first time,
# and then supply the password on subsequent times
keytool -import -alias -keystore myTrustStore
keytool -import -alias -keystore myTrustStore
keytool -import -alias -keystore myTrustStore

The whole process of key creation, csr generation, cert request, and cert import into keystore:

keytool -genkey -alias -keyalg RSA -keysize 2048 -keystore fubar2.jks -ext SAN=dns:fubar2,
keytool -certreq -alias -keyalg RSA -file fubar2.csr -keystore fubar2.jks -ext SAN=dns:fubar2,
#if windows CA -- do this part on CA
certreq -submit -attrib "CertificateTemplate:DHPWebServer" fubar2.csr fubar2.cer
keytool -import -trustcacerts -alias -file fubar2.p7b -keystore fubar2.jks

Generate a jks keystore from a pkcs12 keystore

keytool -importkeystore -srckeystore source.p12 -srcstoretype pkcs12 -destkeystore dest.jks -deststoretype JKS

Comment by email