Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.
Learn how to create a Java Keytool Self Signed Certificate. Generate a Self Signed Certificate using Java Keytool. This will create a keystore.jks file containing a private key and your sparklingly fresh self signed certificate. Now you just need to configure your Java application to use the.jks file. Generating Key Pairs and Importing Public Key Certificates to a Trusted Keystore. Anyway if you are looking to know how to generate a key pair or import a certificate to a Keystore using.
Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.
Note: For easier management of your Java Keystores (using a GUI) check out Portecle. If you need to buy a certificate, try to compare SSL with our SSL Wizard.
Below, we have listed the most common Java Keytool keystore commands and their usage:
Java Keytool Commands for Creating and Importing
These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.
Generate a Java keystore and key pair
Generate a certificate signing request (CSR) for an existing Java keystore
Import a root or intermediate CA certificate to an existing Java keystore
Import a signed primary certificate to an existing Java keystore
Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)
Java Keytool Commands for Checking
If you need to check the information within a certificate, or Java keystore, use these commands.
Check a stand-alone certificate
Check which certificates are in a Java keystore
Check a particular keystore entry using an alias
Other Java Keytool Commands
Keytool Generate New Private Key Finder
Delete a certificate from a Java Keytool keystore
Change a Java keystore password
Export a certificate from a keystore
List Trusted CA Certs
Import New CA into Trusted Certs
If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.
Originally posted on Sun Jul 13, 2008
GlassFish uses keystores (.jks files) to store certificates and private keys. For Glassfish, it is recommended to generate a CSR using the keytool command line utility.
First, a new keystore needs to be created. The following command can be used to generate a new keystore with a private key:
It is recommended to replace myalias and mykeystore with the alias and filename of your choice.
You will be prompted to set a password for this keystore (at least 6 characters are required). Note: The keystore password and private key password must be the same as the Glassfish master password for the domain. The default master password is “changeit” and can be changed by running the change-master-password subcommand of the asadmin utility.
After that keytool will ask you to fill out some contact details. Here are the fields that will need to be filled out:
What is your first and last name? (Common Name) – this is where the domain needs to be specified. For single-domain or multi-domain certificates, you can enter example.com (or sub.example.com for a subdomain). For wildcard certificates, it should be specified in the following format: *.example.com (or *.sub.example.com).
What is the name of your organizational unit? (Organization Unit) – the company department requesting the certificate; this field can be skipped.
What is the name of your organization? (Organization) – the company name goes here; if there is no company, you can enter NA.
What is the name of your City or Locality? (Locality)
What is the name of your State or Province? (State)
What is the two-letter country code for this unit? (Country) – the country needs to be entered as a 2-letter ISO-compliantcountry code.
All entered details will be displayed for a review; if everything is correct – enter yes or just y.
You will also be asked to set a key password which will be used to secure the private key. You can press Enter to make this password the same as the keystore password.
In this command, myalias and mykeystore.jks are the same as in the first command, and domain.csr should be replaced with a custom filename. After running the command, you will have a domain.csr file in the same directory with the keystore.
You can open the CSR file with any text editor (e.g., nano), or output it to the console using the cat command:
Keytool Generate Private Key File
Before submitting the CSR, we recommend checking it for possible issues by decoding it on decoder.link.
Now that you have a CSR, you can proceed with certificate activation in your SSLs.com account.
How To Use Java Keytool
Additionally, you can visit the official Oracle documentation for more detailed instructions on keytool usage.