PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"keytool -export/import" - Export and Import Certificates
This section provides a tutorial example on how to use the 'keytool -export' command to export certificates out of a 'keystore' file. The 'keytool -import' command can be used to import certificates into a 'keystore' file.
In the second tutorial, I want to export the certificate stored in the key entry to a certificate file, then import it back into the keystore as certificate entry:
herong$ keytool -exportcert -alias my_home -file my_home.crt \ -keystore herong.jks -storepass HerongJKS Certificate stored in file <my_home.crt> herong$ keytool -printcert -file my_home.crt Owner: CN=Herong Yang, O=My Home, L="My City", ST=My State, C=US Issuer: CN=Herong Yang, O=My Home, L="My City", ST=My State, C=US Serial number: 3b4da8e2 Valid from: Sun Jul 1 21:06:31 EDT 2018 until: Thu Oct 18 21:06:31 EDT 2018 Certificate fingerprints: SHA1: 3C:80:96:22:E9:D0:E2:2D:B1:74:D5:3A:66:CB:5B:15:EE:DB:... SHA256: 72:23:53:A2:C7:1B:7C:65:DE:0A:C7:3B:0A:1C:3A:B2:05:... Signature algorithm name: SHA256withDSA Subject Public Key Algorithm: 2048-bit DSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 54 7E 42 F3 55 E6 86 E4 19 15 30 FD F9 DF E6 FD ... 0010: AE 17 83 AD .... ] ]
Looking good so far:
Certificates can also be exported in PEM format: based on RFC 1421 specification, using the BASE64 encoding algorithm.
herong$ keytool -exportcert -alias my_home -file my_home.pem -rfc \ -keystore herong.jks -storepass HerongJKS Certificate stored in file <my_home.pem> herong$ more my_home.pem -----BEGIN CERTIFICATE----- MIIDDTCCAssCBEB5KKQwCwYHKoZIzjgEAwUAMGwxCzAJBgNVBAYTAlVTMREwDwYDVQ dGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTEQMA4GA1UEChMHTXkgSG9tZTEQMA4GA1UECx ... AhQ4zAUOPWe1wdiwye9XDsVPcKS1xwIUWTdok6RIeeCMRIytKwcTOo7/qpM= -----END CERTIFICATE-----
Certificates can also be imported back into the KeyStore file using the "keytool -importcert" command.
herong$ keytool -importcert -alias my_home_2 -file my_home.pem \ -keystore herong.jks -storepass HerongJKS Certificate already exists in keystore under alias <my_home> Do you still want to add it? [no]: yes Certificate was added to keystore
List entries in the the KeyStore file. The same self-signed certificate is imported and named as "my_home_2". It is marked as a trusted certificate and has no associated private/public key pair.
herong$ keytool -list -keystore herong.jks -storepass HerongJKS Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries my_home, Nov 25, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): FD:87:5A:8B:A6:61:B6:A4:33:E3:... my_home_2, Nov 25, 2024, trustedCertEntry, Certificate fingerprint (SHA-256): FD:87:5A:8B:A6:61:B6:A4:33:E3:...
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
►Java "keytool" Commands and KeyStore Files
"keytool" - Key and Certificate Management Tool
"keytool -genkeypair" - Generate Key with Self-Signed Certificate
►"keytool -export/import" - Export and Import Certificates
"keytool -keyclone" - Clone Self-Signed Certificate with New Identity
"keytool -certreq" - Generate CSR (Certificate Signing Request)
"keytool -gencert" - Sign CSR with CA certificate
"keytool -gencert -ext" - Sign CSR with X.509 Extensions
Export Key Pair using "keytool -importkeystore"
PKCS12 Certificate Bundle File