java keytool tutorial and examples

 In this blog, we will learn about keytool, a utility that is included in all java releases. If you don't have java, install java and keytool will be installed automatically.

What is Keytool?

Keytool is a key and certificate management utility. This tools lets users create private/public key pairs and certificates and stores them in a keystore.

Lets go through different utilities of this tool.

Creating Public Private Key Pair using Keytool

Let us create a public private key pair using keytool utility. Open a terminal window and fire the below keytool command with -genkeypair option.

keytool -genkeypair -alias pranay_pub_priv -keyalg RSA -validity 365 
-keystore /home/pranay/.keystore -storetype JKS

Let us understand this command.

  • -genkeypair generates a key pair - a public key and private key and wraps the public key in X.509 v3 self-signed certificate. This certificate and private key are stored in keystore as single entry.
  • -alias is the name of entry to identify the entry stored in keystore
  • -keyalg is the algorithm used to generate the key pair.
  • -validity is the validity of the keypair generated.
  • -keystore is the keystore path to be mentioned. If the keystore path is not present, it will create one and prompt to set password, otherwise it will just prompt for existing keystore password.
  • -keypass option is not mentioned as I wanted to use same password as the keystore for the private key
  • -storetype is type of the key store. I mentioned JKS(Java key store) which stores in binary format and prompts for a password to view the .jks file. There is other format - PKCS12 too.

You can give your own custom key store path in place of /home/pranay/.keystore. Now, it will give prompts for keystore password and the other prompts for

  • first and last name
  • name of your organizational unit
  • name of your organization
  • name of your City or Locality
  • name of your State or Province
  • two-letter country code for this unit
  • And a confirmation for above information entered.
java keytool tutorial

Viewing the created key pair in the keystore

We can hit the keytool -list to view the entries in the keystore stored in your home directory like below.

keytool -list
keytool list certificates

If you want to view, a custom path keystore, use -keystore <keystore path> command

keytool -list -keystore /home/pranay/.keystore
keytool list certificates in truststore

To view the detailed certificate information fire up below command on the terminal.

keytool -list -keystore  /home/pranay/.keystore -v -alias pranay_pub_priv

The output will be like below.

keytool print certificate

This is a self signed certificate and to be used for only development and testing.

Exporting the public key certificate

We can export the public key into a certificate by firing the below command with -exportcert option.

keytool -exportcert -alias pranay_pub_priv -file public.cer

Migrating to PKCS12 Store type format

We can migrate from JKS keystore to industry standard PKCS12 by firing the below command and view p12 certificate details using keytool.

keytool -importkeystore -srckeystore /home/pranay/.keystore 
-destkeystore /home/pranay/.keystore -deststoretype pkcs12

Let us understand the command options specified

  • -importkeystore is to import a keystore into another keystore.
  • -srckeystore is to mention my source keystore I want to migrate(My JKS keystore)
  • -destkeystore is to mention the destination keystore to migrate to.
  • -deststoretype pkcs12

The output looks like below

java pkcs12 keystore example

Lets list and see the output

openssl rsa private key openssl .pem file

Exporting Private key with openssl from PKCS12 keystore

openssl pkcs12 -in /home/pranay/.keystore -nodes -nocerts -out private_key.pem

Exporting Public key with openssl from PKCS12 keystore

openssl pkcs12 -in /home/pranay/.keystore  -nokeys -out cert.pem

It will prompt for key store password for both commands.

The keytool has various options to change alias, delete the entry from keystore, generate secret key. Explore the manual page of keytool by firing below command

man keytool 

or by firing  keytool -help

keytool -list command example

In this keytool tutorial, we learned about how to use keytool to generate a key pair, how to view the certificate in truststore and migrate jks truststore to pcks12 and the other utility functions. 


Post a Comment