- Keytool Options
- get cert from domain
- add crt into Java keystore
- import an entire keystore into another keystore
- export items to cert file
references:
- keytool - Key and Certificate Management Tool
- To Use keytool to Create a Server Certificate
- 5 Creating, Exporting, and Importing SSL Certificates
- To Generate a Certificate by Using keytool
- Error Importing SSL certificate : Not an X.509 Certificate
- generate key and certificate using keytool
- How to Creat JKS KeyStore file from existing private key and certificate
- How to Generate a Keystore and CSR Using the Keytool Command
- The Most Common Java Keytool Keystore Commands
- Error unable to find valid certification path
- Java Keytool - Create Keystore
- ARTIFACTORY: How to Resolve an “unable to find valid certification path to requested target” Error
- Working with Certificates and SSL
Keytool Options
| KEYTOOL OPTIONS | DESCRIPTION |
|---|---|
-delete |
Deletes an entry from the Keystore |
-exportcert |
Exports a certificate from a Keystore |
-genkeypair |
Generates a key pair |
-genseckey |
Generates a secret key pair |
-gencert |
Generates a certificate from a certificate request |
-importcert |
Import a certificate or a certificate chain to keystore |
-importpass |
Imports a password |
-importkeystore |
Imports one or all entries from another keystore to a keystore |
-keypasswd |
Changes the key password of an entry in keystore |
-list |
Lists entries in a keystore |
-printcert |
Prints the content of a certificate |
-printcertreq |
Prints the content of a certificate request |
-printcrl |
Prints the content of a CRL file |
-storepasswd |
Changes the store password of a keystore |
get cert from domain
$ keytool -printcert \
-rfc \
-sslserver google.com:443 > google.com.crt
# or
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.com.crt
- check crt file
or$ openssl x509 \ -in google.com.crt \ -noout \ -text | grep "Not " Not Before: Aug 30 01:36:08 2021 GMT Not After : Nov 22 01:36:07 2021 GMT$ keytool -printcert \ -v \ -file google.com.crt | head Certificate[1]: Owner: CN=*.google.com Issuer: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US Serial number: 1a46a5eeaea1c2610a00000000fcefe4 Valid from: Sun Aug 29 18:36:08 PDT 2021 until: Sun Nov 21 17:36:07 PST 2021 Certificate fingerprints: MD5: 58:83:A1:72:6A:FC:96:FD:18:BF:93:57:AD:64:BE:55 SHA1: 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6 SHA256: 03:FF:12:79:0E:57:B2:90:65:37:F2:5D:EA:62:A5:36:62:C6:1E:C0:2E:58:12:10:33:66:2D:49:2B:0C:3B:D5 Signature algorithm name: SHA256withRSA
add crt into Java keystore
generate a certificate
$ keytool -genkey \
-alias google.com \
-keyalg RSA \
-keystore keystore.jks \
-keysize 2048
create java keystore from cert file
$ keytool -importcert \
-alias google.com \
-keystore google.com.jks \
-storepass changeit \
-file google.com.crt
Trust this certificate? [no]: yes
Certificate was added to keystore
using -noprompt -trustcacerts will skip manual input yes for Trust this certificate
verify
$ keytool -list \ [-v] \ -keystore google.com.jks \ -storepass changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry google.com, Sep 27, 2021, trustedCertEntry, Certificate fingerprint (SHA1): 5D:F7:6F:AC:E9:D8:13:9F:68:E3:32:9C:42:CD:11:44:67:0A:E7:E6
append to existing java keystore
$ keytool -import \
-noprompt \
-trustcacerts \
-alias google.com \
-keystore google.com.new.jks \
-file google.com.crt
import an entire keystore into another keystore
$ keytool -importkeystore \
-srckeystore key.jks -destkeystore NONE \
-srcstoretype JKS -deststoretype PKCS11 \
-srcstorepass <source keystore password> \
-deststorepass <destination keystore password>
- import only single alias from keystore to another keystore
$ keytool -importkeystore \ -srckeystore key.jks -destkeystore NONE \ -srcstoretype JKS -deststoretype PKCS11 \ -srcstorepass <source keystore password> \ -deststorepass <destination keystore password> \ -srcalias myprivatekey -destalias myoldprivatekey \ -srckeypass <source entry password> \ -destkeypass <destination entry password> \ -noprompt
export items to cert file
history: This command was named
-exportin previous releases.This old name is still supported in this release and will be supported in future releases, but for clarify the new name,
-exportcert, is preferred going forward.
$ keytool -export \
-keystore google.com.jks \
-alias google.com \
-file google.com.crt