Java Keytool Commands: Create/Import Root & Intermediate Certificate

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Java Keytool Commands to easily manage your SSL certificates

Java Keytool, a key and certificate management tool, is used for managing certificate key pairs and certificates. The keys and certificates are stored in the Java Keystore. Your keys are protected by means of a password so that any illegitimate entity doesn’t get hold of it. Java Keytool offers various other functions that make the certificate management much easier. However, you’d need to run Java Keytool commands in order to use these functions. That’s why we’ve come up with commands that will help you create and import your certificate in no time.

How to Generate Root & Intermediate by Java Keytool Commands

Generate a Java key pair and keystore:

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore:

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Generate a keystore and self-signed certificate:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

How to Import Root & Intermediate by Java Keytool Commands

Import an intermediate CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore.jks

Import a root CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias root -file root.crt -keystore keystore.jks

Import a signed SSL primary certificate to an existing Java keystore:

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks


How to Check Certificate Information by Java Keytool Commands

Check a stand-alone certificate:

keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore:

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias:

keytool -list -v -keystore keystore.jks -alias mydomain

How to Change Keystore Type by Java Keytool Commands

PFX keystore to JKS keystore:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS

JKS keystore to PFX keystore:

keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx

Other Useful Java Keytool Commands

Delete a certificate from a Java Keytool keystore:

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password:

keytool -storepasswd -new newstorepass -keystore keystore.jks

Export a certificate from a keystore:

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Trusted CA Certs:

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs:

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

That was easy, wasn’t it? Well, most things are. We hope this blog helped you do whatever you were looking for. Don’t forget to give this blog your rating. And if you want to convert your certificate from one format to another, use our easy-to-use guide.

Download Site Seal
SSL Checker

Pin It on Pinterest

Share This