The keytool command in Java is a tool for managing certificates into keyStore and trustStore which is used to store certificates and requires during the SSL handshake process. By using the keytool command you can do many things but some of the most common operations are viewing certificates stored in the keystore, importing new certificates into the keyStore, delete any certificate from the keystore, etc. For those who are not familiar keyStore, trustStore, and SSL Setup for Java application Here is a brief overview of What is a trustStore and keyStore in Java.
Both trustStore and keyStrore is used to store certificate signed by signer authority or CA (Certificate authority), with keyStore additionally storing personal certificate for the client which is used during client authentication on SSL handshake process if it's enabled.
In this article we will see some basic examples of keytool command in Java to find how many certificates we have in keyStore, viewing those certificates, adding new certificates, and deleting old certificates from keyStore or trustStore in Java.
In this article we will see some basic examples of keytool command in Java to find how many certificates we have in keyStore, viewing those certificates, adding new certificates, and deleting old certificates from keyStore or trustStore in Java.
How to use keytool command in Java
Following are some most common or frequently used example of keytool command which comes when you installed JDK. just type keytool command in your command prompt and it will show a lot of command-line options if your PATH is set correctly for Java.
If Path is not set properly it will complain that not able to find the keytool command. Don't worry you just need to add the JAVA_HOME/bin directory in your path to get the keytool command working.
keytool command to find how many certificates are in keyStore:
This is the first example of the keytool command which will show you how many certificates are stored in trustStore or keyStore file :
test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool
-list -keystore jssecacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 81 entries
digicertassuredidrootca, 07/01/2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
trustcenterclass2caii, 07/01/2008, trustedCertEntry,
above keytool command shows that default keystore jssecacerts, which comes along with JRE and present in JAVA_HOME directory on path JAVA_HOME/JRE/lib/security, has 81 certificates in it and keyStore type is JKS which stands for Java Key Store. One of those certificates are from DigiCert
keytool command to view certificate details from keyStore :
Now if you want to see details of certificates e.g. Common name (CN) and other attributes you can use the following keytool command to view details of certificates stored in keyStore in Java :
test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool
-list -v -keystore jssecacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 81 entries
Alias name: digicertassuredidrootca
Creation date: 07/01/2008
Entry type: trustedCertEntry
Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d846fe8fe560fc1bf03039
Valid from: Thu Nov 09 20:00:00 VET 2006 until: Sun Nov 09 19:30:00 VET 2031
Certificate fingerprints:
MD5: 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
Signature algorithm name: SHA1withRSA
Version: 3
keytool command for adding a certificate in keystore and trustStore :
Now if you want to import any certificate into this keystore you can use the following keytool command :
$ keytool -import -alias adding_certificate_keystore -file self.cer -keystore jssecacerts
this will print certificate details and prompt you to accept the certificate, once you confirm that by typing Yes, the certificate will be added into your keyStore. For verification purposes, you can re-run the previous keytool command to get a total number of certificates in the keystore. For example, if we run the following keytool command, it should print 82 certificates in keyStore :
test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool
-list -keystore jssecacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 82 entries
Another useful keytool command option is -printcert which prints details of a certificate stored in the .cer file :
$ keytool -printcert -file test.cer
That's all on some basic keytool command examples for viewing and adding certificates into keystore and trustStore in Java. I still prefer a GUI tool for creating keystore and managing certificates but keytool is a good alternative because it comes along with JDK installation and available in most places.
Java Tutorials from java67 blog
- 10 Tricky Java interview question - Answered
- What is Inheritance in Java and OOPS
- What is Encapsulation in Java and OOPS
- How to limit concurrent sessions in Java web application using Spring Security
- Difference between PATH and Classpath in Java
- 10 Spring MVC Interview questions and answers
Thanks, for reading this article so far. If you found these keytool command examples in Java, please share and ask any doubt you may have.
keytool command to list or view certificate is the what I was familiar before reading this tutorial.
ReplyDeleteCan you please help me how to view the certificates in the keystore ?
ReplyDelete./keytool -v -keystore --list
Deletesuperb..gr8 help..thanks..
ReplyDeleteCould you please tell me what does this part of certificate mean:
ReplyDeleteVersion: 3
Does it mean it's using SSL v3 ?
Excerpt from your example about :
test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -v -keystore
hi... is there and command to update the keystore password from *.jks file once the .keystore file is being created?
ReplyDeleteHere are some more openssl and keytool command exmaples which helped a lot
ReplyDelete1. command to see which Issuer certificate you have in your keystore
$ keytool -v -list -keystore cacerts -storepass changeit | grep -i "Verisign "
2. OpenSSL command to connect to server and find out which certificates are acceptable
$ openssl s_client -connect serverhostname:443
keytool is really useful utility from JDK and you can use this with openssl together to create keys, certificates, import certificates, view certificates and even copy one keystore into another keystore in Java. Here is another useful example of keytool command to copy certificates from another one keystore to other in Java:
ReplyDeletekeytool -importkeystore \
-srckeystore example2.p12 \
-destkeystore example.p12 \
-srcstoretype PKCS12 \
-deststoretype PKCS12 \
-srcstorepass changeit \
-deststorepass changeit \
-v