keytool
keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.[1]
Documentation
- man 1 'keytool' [EN]
Syntax
keytool [PARAMETER ...]
Parameters
- -certreq
- Generates a Certificate Signing Request (CSR), using the PKCS#10 format.
- -genkeypair
- Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
- -importcert
- Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from a file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.
- -alias ALIAS
- -dname DN
- Specifies the X.500 'Distinguished Name' (DN) to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate. If no 'Distinguished Name' is provided at the command line, the user will be prompted for one.
- -file FILE
- -keyalg ALGORITHM
- Specifies the ALGORITHM to be used to generate the key pair e.g. RSA, EC.
- See chapter KeyPairGenerator of the Java Cryptography Architecture Standard Algorithm Name Documentation to get all ALGORITHMs.
- -keypass[:env|:file] ARGUMENT
- Is a password used to protect the private key of the generated key pair.
- If the modifier env or file is not specified, then the password has the value ARGUMENT, which must be at least 6 characters long. Otherwise, the password is retrieved as follows:
- env retrieves the password from the environment variable named ARGUMENT.
- file retrieves the password from the file named ARGUMENT.
- -keysize SIZE
- Specifies the SIZE of each key to be generated e.g. 2048.
- -keystore FILE
- The keystore location.
- -noprompt
- -sigalg ALGORITHM
- Specifies the ALGORITHM that should be used to sign the self-signed certificate; this algorithm must be compatible with keyalg e.g. SHA1withRSA for RSA, SHA256withECDSA for EC.
- See chapter Signature of the Java Cryptography Architecture Standard Algorithm Name Documentation to get all ALGORITHMs.
- -storepass[:env|:file] ARGUMENT
- The password which is used to protect the integrity of the keystore.
- If the modifier env or file is not specified, then the password has the value ARGUMENT, which must be at least 6 characters long. Otherwise, the password is retrieved as follows:
- env retrieves the password from the environment variable named ARGUMENT.
- file retrieves the password from the file named ARGUMENT.
- -trustcacerts
- If the -trustcacerts option has been specified, additional certificates are considered for the chain of trust.
Examples
- Generate a Java keystore and key pair
keytool -genkeypair \
-keyalg 'RSA' -keysize 2048 -sigalg 'SHA1withRSA' -alias 'RaySoft' \
-dname 'CN=raysoft.ch, O=Raysoft, L=Zurich, C=CH' \
-storepass:file "${HOME}/.passwd" -keypass:file "${HOME}/.passwd" \
-keystore 'mykeystore.jks'
- Generate a certificate signing request (CSR)
keytool -certreq \
-sigalg 'SHA1WithRSA' -file 'raysoft.csr' -alias 'RaySoft'\
-storepass:file "${HOME}/.passwd" -keypass:file "${HOME}/.passwd" \
-keystore 'mykeystore.jks'
- Import the CA certificate to the keystore
keytool -importcert \
-noprompt -file 'myca.crt' -alias 'myCA' \
-storepass:file "${HOME}/.passwd" -keystore 'mykeystore.jks'
- Import the signed certificate to the keystore
keytool -importcert \
-trustcacerts -noprompt -file 'raysoft.crt' -alias 'RaySoft' \
-storepass:file "${HOME}/.passwd" -keystore 'mykeystore.jks'
References
- ↑ man 1 'keytool'