PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool" - Key and Certificate Management Tool

This section provides a quick introduction of 'keytool' - a command line tool to manage private keys and public certificates in 'keystore' database file.

"keytool" is command line tool included in JDK (Java Development Kit) to manage keys and certificates inside Java KeyStore files.

Note that the JRE (Java Runtime Environment) does not support the "keytool" command. You need to install the JDK package to use "keytool". See "JDK Tutorials - Herong's Tutorial Examples" at herongyang.com/JDK/ for more information on JDK.

"keytool" offers a number functions through the following command options:

• "-certreq": Generates a CSR (Certificate Signing Request).
• "-changealias": Changes an entry's alias name.
• "-delete": Deletes the entry of a given alias name.
• "-exportcert (-export)": Exports the certificate of the specified key entry or certificate entry out of the keystore to a certificate file.
• "-gencert": Generates certificate from a certificate request.
• "-genkeypair (-genkey)": Generates a key pair and stores it as a key entry in the keystore.
• "-genseckey": Generates a secret key.
• "-importcert (-import)": Imports the certificate from a certificate file as a certificate entry into the keystore.
• "-importkeystore": Imports one or all entries from another keystore.
• "-importpass": Imports a password.
• "-keypasswd": Changes the key password of an entry.
• "-keyclone": Creates a new key entry by copying an existing key entry.
• "-list": Lists all entries in the keystore.
• "-printcert": Prints summary information of a certificate from a certificate file.
• "-printcertreq": Prints the content of a certificate request.
• "-printcrl": Prints the content of a CRL (Certificate Revocation List) file.
• "-selfcert": Update the self-signed certificate in a key entry.
• "-showinfo": Displays security-related information.
• "-storepasswd": Changes the store password of a keystore.

You can run the "keytool -help" command to more information.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

►Java "keytool" Commands and KeyStore Files

 What Is Java KeyStore File?

►"keytool" - Key and Certificate Management Tool

 "keytool -genkeypair" - Generate Key with Self-Signed Certificate

 "keytool -export/import" - Export and Import Certificates

 "keytool -keyclone" - Clone Self-Signed Certificate with New Identity

 "keytool -certreq" - Generate CSR (Certificate Signing Request)

 "keytool -gencert" - Sign CSR with CA certificate

 "keytool -gencert -ext" - Sign CSR with X.509 Extensions

 Export Key Pair using "keytool -importkeystore"

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"keytool" - Key and Certificate Management Tool - Updated in 2024, by Herong Yang