13 Most Common Java Keytool Keystore Commands

2014-03-16 625 words 3 mins read

I was working on a project last month where I had to call a third-party web service. The third-party web service wanted me to add a SSL keystore and I struggled. I could have gone to my UNIX Admin and asked him to do this job but decided to learn about all about keystores. I went through couple of forums and SO and ended my spending 2 – 3 hours reading about keystores and commonly used commands.

To give you a quick run here what I was doing. I had to use a third party wsdl to create a client. I tried to use Maven jaxws plugin to generate the client. I downloaded the wsdl to my local machine and was able to successfully create a client. For production I wanted to generate the client using the current wsdl so decided to generate the client using the wsdl url of the third-party website but ran into keystore issue. I had to download their certificate and add it to my CACERT.

The whole charade led me to compile this post. Before I begin here is a quick run through Keystore

Why Do I need a keystore?

By using a public/private key mechanism. This provides a layer of security that prevents, among other things, remote attackers from pushing malicious updates to your application  (all updates must be signed with the same key)

What is a Java Keytool?

It is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in keystore. It protects private keys with a password. A Keytool keystore has the private key and any certificates necessary to complete a chain of trust and set up the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. 

Here is a list of 13 most common commands


1. Create a Java Keystore and value pair

keytool -genkey -alias yourDomainName -keyalg RSA -keystore YourkeystoreName.jks 

2. Creating a signing request (CSR) for an existing keystore

keytool -certreq -alias yourDomainName -keystore keystore.jks -file yourDomainName.csr

3. Importing a signed primary certificate to an existing  keystore**


keytool -import -trustcacerts -alias yourDomainName -file yourDomainName.crt -keystore YourkeystoreName.jks

4. Importing a root or intermediate CA certificate to an existing  keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore YourkeystoreName.jks

5. Creating a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore Yourkeystore.jks -storepass password -validity 360


When you need to check the information about a certificate or keystore then you use these commands.

6. Checking a particular certificate

keytool -printcert -v -file Yourdomain.crt

7. Checking all certificates in a keystore

keytool -list -v -keystore Yourkeystore.jks

9. Checking a particular keystore entry using an alias

keytool -list -v -keystore Yourkeystore.jks -alias Yourdomain


10. Deleting a certificate from a keystore

keytool -delete -alias Yourdomain -keystore Yourkeystore.jks

11. Changing a keystore password

keytool -storepasswd -new new_password -keystore keystore.jks

12. Exporting a certificate from a keystore

keytool -export -alias Yourdomain -file Yourdomain.crt -keystore Yourkeystore.jks

13. Listing Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

P.S. – If you liked the post please click on one of the ads in the right hand column to help me keep up this site and do drop a me a line to suggest some topics that would like to see on this site.

So Long ……


We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now