Java Keytool Commands

by Anish

Posted on Saturday September 29, 2018

Reader Note

This sample chapter extracted from the book, The Modern Cryptograhy CookBook . The Book theme isCryptography is for EveryOne. Learn from Crypto Principle to Applied Cryptography With Practical Example

Get this book on Just $9 by availing coupon discount

keytool is a key and certificate management utility, keytool stores the keys and certificates in a keystore.

Generate Keystore

Option Defaults

  • -alias "mykey"

  • -keyalg
    "DSA" (when using -genkeypair)
    "DES" (when using -genseckey)

  • -keysize
    2048 (when using -genkeypair and -keyalg is "RSA")
    1024 (when using -genkeypair and -keyalg is "DSA")
    256 (when using -genkeypair and -keyalg is "EC")
    56 (when using -genseckey and -keyalg is "DES")
    168 (when using -genseckey and -keyalg is "DESede")

  • -validity 90

  • -keystore the file named .keystore in the user’s home directory

  • -file stdin if reading, stdout if writing

  • -protected false

Generate RSA key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate DSA key pair

 keytool -genkey -alias mydomain1 -keyalg DSA -keystore keystore.jks -keysize 2048

Generate EC key pair

keytool -genkey -alias mydomain3 -keyalg EC -keystore keystore.jks -keysize 256

Alternatively storepass can be passed

keytool -genkey -keyalg RSA -alias domain1 -keystore keystore.jks  -storepass hello123 -validity 360 -keysize 2048

Generate CSR from existing keystore

Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias mydomain -keystore keystore.jks -file  8gwifi.csr

This will generate a new CSR pem encoded begins with -----BEGIN NEW CERTIFICATE REQUEST----- ends -----END NEW CERTIFICATE REQUEST-----

List Keystore

The keytool -list prints the contents of the keystore entry identified by alias. If no alias is specified, the contents of the entire keystore are printed.

keytool -list -keystore keystore.jks
Enter keystore password:  

This will list out all certificate finger print added in the keystore

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

mydomain3, Aug 1, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 65:9A:6F:43:2C:10:E7:56:4C:EF:B7:70:0B:3D:A8:66:41:DA:5B:22
mydomain1, Aug 1, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): DB:3E:30:83:C8:FD:E3:A5:28:BB:0B:D7:3B:FD:ED:B2:9B:75:46:37
mydomain, Aug 1, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): C5:A4:D7:24:10:70:FA:4C:57:36:1C:32:A6:AE:BA:2A:72:A6:33:DB

verbose option check

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using -alias option

keytool -list -v -keystore keystore.jks -alias mydomain

Import rootCA to Keystore

  • Import a root or intermediate CA certificate to an existing Java keystore

     keytool -import -trustcacerts -alias root -file rootCA.pem -keystore keystore.jks
     Enter keystore password:  
     Owner:, OU=Cryptography, O=8gwifi, L=IN, ST=BLR, C=IN
     Issuer:, OU=Cryptography, O=8gwifi, L=IN, ST=BLR, C=IN
     Serial number: c12f5c50dd458faf
     Valid from: Wed Aug 01 09:37:03 IST 2018 until: Fri May 21 09:37:03 IST 2021
     Certificate fingerprints:
          MD5:  B9:88:92:11:11:ED:74:B6:D1:92:DB:61:07:60:34:B3
          SHA1: 00:E7:41:90:9F:3E:1D:DA:B0:C0:18:6B:C2:34:E7:71:38:B7:57:3C
          SHA256: 68:D4:CA:2B:23:0E:7B:EB:A6:C3:AE:FB:57:B9:A4:A3:F0:E3:FA:33:53:E9:89:99:4E:3A:18:F2:26:8C:52:BF
          Signature algorithm name: SHA256withRSA
          Version: 3

Import a Certificate to keystore

Import a primary certificate to an existing Java keystore, The procedure is same for importing Certificate/intermediateCA/rootCA

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Import CA into Trusted Certs

Import CA into Trusted Certs $JAVA_HOME/jre/lib/security/cacerts

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Import DER in keystore

Change format from cert.crt from PEM (----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----) to DER

openssl x509 -in cert.crt -inform PEM -out cert.der -outform DER

Create KeyStore keystore.jks for your domain ("alias" in keytool, "common name" or CN in openssl req)

keytool -import -trustcacerts -alias 8gwifi -file cert.der -keystore keystore.jks

Import PKCS12 in Keystore

Convert the certificate and private key to PKCS 12 (.p12)

openssl pkcs12 -export -in rootCA.pem -inkey rootCA.key -out my.p12
Enter pass phrase for rootCA.key:
Enter Export Password:
Verifying - Enter Export Password:

Then add the my.p12 in the key store

$ keytool -v -importkeystore -srckeystore my.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Enter destination keystore password:  
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.jks]

Export Certificate from Keystore

Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore  keystore.jks
    Enter keystore password:
    Certificate stored in file <mydomain.crt>

Check Keystore

Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt

The output

Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 490e614f
Valid from: Wed Aug 01 09:23:55 IST 2018 until: Tue Oct 30 09:23:55 IST 2018
Certificate fingerprints:
     MD5:  99:BC:8E:3B:54:AC:69:0E:FC:44:6F:5D:FC:5D:B5:2B
     SHA1: C5:A4:D7:24:10:70:FA:4C:57:36:1C:32:A6:AE:BA:2A:72:A6:33:DB
     SHA256: 9E:22:F6:1F:78:BD:A7:01:35:26:DF:01:DE:85:4E:63:27:63:0C:E8:69:6F:39:2D:37:65:F7:77:4A:57:04:11
     Signature algorithm name: SHA256withRSA
     Version: 3

Delete Alias from Keystore

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain2 -keystore keystore.jks

Change keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks


Android related kyetool command used for debug and troubleshooting, though keytool is agnostic to platform (android or linux env) and it’s a cert and key managed tool, this section will help android user to locate and troubleshoot android keytsore which is present in apk file

Generate Debug Keystore

keystore Description
-keystore debug.keystore
-storepass mykeystorepassword
-alias myalias
-keypass myandroidpass
-keyalg RSA
-dname C=US, O=Android, CN=Android Debug
keytool -genkey -v -keystore my.keystore -storepass mykeystorepassword -alias myalias -keypass myandroid -keyalg RSA -keysize 2048 -validity 10000 -dname "C=US, O=Android, CN=Android Debug"

This will generate debug.keystore

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
for: C=US, O=Android, CN=Android Debug
[Storing my.keystore]

Similar process will go to create release.keystore with CN name Modification

Get Key Fingerprints

To get the keystore certificate fingerprints of a given alias you can do:

keytool -list -v -keystore [keystore path] -alias [alias-name] -storepass [storepass] -keypass [keypass] 

The certificate fingerprints

$ keytool -list -v -keystore debug.keystore  -alias myalias  -storepass mykeystorepassword  -keypass myandroid
Alias name: myalias
Creation date: Aug 1, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 3ca33a60
Valid from: Wed Aug 01 08:24:42 IST 2018 until: Sun Dec 17 08:24:42 IST 2045
Certificate fingerprints:
     MD5:  57:C6:C5:06:1C:29:69:9E:EF:E0:A4:35:3A:3F:37:ED
     SHA1: D1:FC:1A:52:BA:43:AE:D0:42:46:22:A5:3F:38:10:D7:7B:BB:05:B5
     SHA256: C3:B2:F7:35:24:C1:51:C7:DD:DB:9F:54:BA:B4:D4:8D:2C:EC:A7:2B:04:40:1A:54:A5:B8:4C:35:33:14:34:78
     Signature algorithm name: SHA256withRSA
     Version: 3

if you don’t know the alias name list down your keystore

$ keytool -list -v -keystore debug.keystore
Enter keystore password: 

Verify APK signature

keytool -list -printcert -jarfile application.apk

Using jarsigner

jarsigner -verify -verbose -certs application.apk
jarsigner -verify -verbose:summary -certs application.apk

Verify APK keystore signature

find out which keystore was used to sign an app?

  • Unzip apk

  • Get MD5 and SHA1 of certificate of APK:

     $ keytool -printcert -file ./META-INF/ANDROID_.RSA
  • Get MD5 and SHA1 of keystore:

     $ keytool -list -keystore signing-key.keystore

Compare MD5/SHA1 and if they are the same, so the APK was signed with signing-key.keystore.

Export Certificate

$ keytool -exportcert -alias myalias -keystore debug.keystore -file path_to_certificate_file
Enter keystore password:  
Certificate stored in file <path_to_certificate_file>

Thanku for reading !!! Give a Share for Support

Asking for donation sound bad to me, so i'm raising fund from by offering all my Nine book for just $9

python Cryptography Topics
For Coffee/ Beer/ Amazon Bill and further development of the project Support by Purchasing, The Modern Cryptography CookBook for Just $9 Coupon Price

Kubernetes for DevOps

Hello Dockerfile

Cryptography for Python Developers

Cryptography for JavaScript Developers

Go lang ryptography for Developers