Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

Java Keytool Commands: Create/Import Root & Intermediate Certificate

Java Keytool Commands to easily manage your SSL certificates

Java Keytool, a key and certificate management tool, is used for managing certificate key pairs and certificates. The keys and certificates are stored in the Java Keystore. Your keys are protected by means of a password so that any illegitimate entity doesn’t get hold of it. Java Keytool offers various other functions that make the certificate management much easier. However, you’d need to run Java Keytool commands in order to use these functions. That’s why we’ve come up with commands that will help you create and import your certificate in no time.


How to Generate Root & Intermediate by Java Keytool Commands

Generate a Java key pair and keystore:

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore:

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Generate a keystore and self-signed certificate:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

How to Import Root & Intermediate by Java Keytool Commands

Import an intermediate CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore.jks

Import a root CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias root -file root.crt -keystore keystore.jks

Import a signed SSL primary certificate to an existing Java keystore:

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

How to Check Certificate Information by Java Keytool Commands

Check a stand-alone certificate:

keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore:

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias:

keytool -list -v -keystore keystore.jks -alias mydomain

How to Change Keystore Type by Java Keytool Commands

PFX keystore to JKS keystore:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS

JKS keystore to PFX keystore:

keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx

Other Useful Java Keytool Commands

Delete a certificate from a Java Keytool keystore:

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password:

keytool -storepasswd -new newstorepass -keystore keystore.jks

Export a certificate from a keystore:

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Trusted CA Certs:

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs:

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

That was easy, wasn’t it? Well, most things are. We hope this blog helped you do whatever you were looking for. Don’t forget to give this blog your rating. And if you want to convert your certificate from one format to another, use our easy-to-use guide.



Comodo Positive SSL


Vendor Price: $41.73

Coupon Code: ASCSCPSSL4

Get It Now



RapidSSL Certificate


Vendor Price: $69

Coupon Code: ASRSRSSL2

Get It Now



Comodo PositiveSSL Multi-Domain

$17.54 – 2 SAN Included

Vendor Price: $41.73

Coupon Code: ASCSCPMD4

Get It Now

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More