JDK 1.6 'keytool' - keystore File Management Commands
This section describes all commands supported in JDK 1.6 'keytool' tool to manage certificates stored in 'keystore' files.
In JDK 1.6, the "keytool" has been changed to offer the following set of commands:
- "-genkeypair": Same as the old command "-genkey" to generate a key pair (a public key and associated private key).
Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain.
This certificate chain and the private key are stored in a new keystore entry identified by alias.
- "-genseckey": Generates a secret key and stores it in a new KeyStore.SecretKeyEntry identified by alias.
- "-importcert": Same as the old commnad "-import" to read the certificate or certificate chain
(where the latter is supplied in a PKCS#7 formatted reply) from the file cert_file,
and stores it in the keystore entry identified by alias. If no file is given, the certificate
or PKCS#7 reply is read from stdin.
- "-importkeystore": Imports a single entry or all entries from a source keystore to a destination keystore.
The "-importkeystore" command can also be used to migrate keys from other storage formats like PKCS#12.
- "-certreq": Generates a Certificate Signing Request (CSR), using the PKCS#10 format.
- "-exportcert": Same as the old commnad "-export" to read (from the keystore) the certificate associated with alias,
and stores it in the file cert_file.
- "-list": Prints (to stdout) the contents of the keystore entry identified by alias.
If no alias is specified, the contents of the entire keystore are printed.
- "-printcert": Reads the certificate from the file cert_file, and prints its contents in a human-readable format.
If no file is given, the certificate is read from stdin.
- "-storepasswd": Changes the password used to protect the integrity of the keystore contents.
The new password is new_storepass, which must be at least 6 characters long..
- "-keypasswd": Changes the password under which the private/secret key identified by alias is protected,
from old_keypass to new_keypass, which must be at least 6 characters long.
- "-delete": Deletes from the keystore the entry identified by alias.
The user is prompted for the alias, if no alias is provided at the command line.
- "-changealias": Move an existing keystore entry from the specified alias to a new alias, destalias.
If no destination alias is provided, the command will prompt for one. If the original entry is protected
with an entry password, the password can be supplied via the "-keypass" option.
If no key password is provided, the storepass (if given) will be attempted first.
If that attempt fails, the user will be prompted for a password.
- "-help": Lists the basic commands and their options.
Last update: 2015.
Table of Contents
About This Book
Java Tools Terminology
Installing Java 8 on Windows
'javac' - The Java Program Compiler
'java' - The Java Program Launcher
'jdb' - The Java Debugger
'jconsole' - Java Monitoring and Management Console
'jstat' - JVM Statistics Monitoring Tool
JVM Troubleshooting Tools
jvisualvm (Java VisualVM) - JVM Visual Tool
'jar' - The JAR File Tool
'javap' - The Java Class File Disassembler
►'keytool' - Public Key Certificate Tool
Certificates and Certificate Chains
'keystore' - Public Key Certificate Storage File
JDK 1.5 'keytool' - keystore File Management Commands
►JDK 1.6 'keytool' - keystore File Management Commands
Generating Key Pairs and Self-Signed Certificates
Exporting and Import Certificates
Cloning Certificates with New Identities
'native2ascii' - Native-to-ASCII Encoding Converter
PDF Printing Version