· 6 years ago · Jan 23, 2020, 01:52 AM
1Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.
2
3Synopsis
4keytool [commands]
5
6commands
7See Commands. These commands are categorized by task as follows:
8
9Create or Add Data to the Keystore
10
11-gencert
12
13-genkeypair
14
15-genseckey
16
17-importcert
18
19-importpassword
20
21Import Contents From Another Keystore
22
23-importkeystore
24
25Generate Certificate Request
26
27-certreq
28
29Export Data
30
31-exportcert
32
33Display Data
34
35-list
36
37-printcert
38
39-printcertreq
40
41-printcrl
42
43Manage the Keystore
44
45-storepasswd
46
47-keypasswd
48
49-delete
50
51-changealias
52
53Get Help
54
55-help
56
57Description
58The keytool command is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself or herself to other users and services) or data integrity and authentication services, using digital signatures. The keytool command also enables users to cache the public keys (in the form of certificates) of their communicating peers.
59
60A certificate is a digitally signed statement from one entity (person, company, and so on.), that says that the public key (and some other information) of some other entity has a particular value. (See Certificate.) When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data comes from whoever claims to have created and signed it.
61
62The keytool command also enables users to administer secret keys and passphrases used in symmetric encryption and decryption (DES).
63
64The keytool command stores the keys and certificates in a keystore. See KeyStore aliases.
65
66Command and Option Notes
67See Commands for a listing and description of the various commands.
68
69All command and option names are preceded by a minus sign (-).
70
71The options for each command can be provided in any order.
72
73All items not italicized or in braces or brackets are required to appear as is.
74
75Braces surrounding an option signify that a default value will be used when the option is not specified on the command line. See Option Defaults. Braces are also used around the -v, -rfc, and -J options, which only have meaning when they appear on the command line. They do not have any default values other than not existing.
76
77Brackets surrounding an option signify that the user is prompted for the values when the option is not specified on the command line. For the -keypass option, if you do not specify the option on the command line, then the keytool command first attempts to use the keystore password to recover the private/secret key. If this attempt fails, then the keytool command prompts you for the private/secret key password.
78
79Items in italics (option values) represent the actual values that must be supplied. For example, here is the format of the -printcert command:
80
81keytool -printcert {-file cert_file} {-v}
82When you specify a -printcert command, replace cert_file with the actual file name, as follows: keytool -printcert -file VScert.cer
83
84Option values must be put in quotation marks when they contain a blank (space).
85
86The -help option is the default. The keytool command is the same as keytool -help.
87
88Option Defaults
89The following examples show the defaults for various option values.
90
91-alias "mykey"
92
93-keyalg
94 "DSA" (when using -genkeypair)
95 "DES" (when using -genseckey)
96
97-keysize
98 2048 (when using -genkeypair and -keyalg is "RSA")
99 1024 (when using -genkeypair and -keyalg is "DSA")
100 256 (when using -genkeypair and -keyalg is "EC")
101 56 (when using -genseckey and -keyalg is "DES")
102 168 (when using -genseckey and -keyalg is "DESede")
103
104-validity 90
105
106-keystore <the file named .keystore in the user's home directory>
107
108-storetype <the value of the "keystore.type" property in the
109 security properties file, which is returned by the static
110 getDefaultType method in java.security.KeyStore>
111
112-file
113 stdin (if reading)
114 stdout (if writing)
115
116-protected false
117In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key:
118
119If the underlying private key is of type DSA, then the -sigalg option defaults to SHA1withDSA.
120
121If the underlying private key is of type RSA, then the -sigalg option defaults to SHA256withRSA.
122
123If the underlying private key is of type EC, then the -sigalg option defaults to SHA256withECDSA.
124
125For a full list of -keyalg and -sigalg arguments, see Java Cryptography Architecture (JCA) Reference Guide at
126http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
127
128Common Options
129The -v option can appear for all commands except -help. When the -v option appears, it signifies verbose mode, which means that more information is provided in the output.
130
131There is also a -Jjavaoption argument that can appear for any command. When the -Jjavaoption appears, the specified javaoption string is passed directly to the Java interpreter. This option does not contain any spaces. It is useful for adjusting the execution environment or memory usage. For a list of possible interpreter options, type java -h or java -X at the command line.
132
133These options can appear for all commands operating on a keystore:
134
135-storetype storetype
136This qualifier specifies the type of keystore to be instantiated.
137
138-keystore keystore
139The keystore location.
140
141If the JKS storetype is used and a keystore file does not yet exist, then certain keytool commands can result in a new keystore file being created. For example, if keytool -genkeypair is called and the -keystore option is not specified, the default keystore file named .keystore in the user's home directory is created when it does not already exist. Similarly, if the -keystore ks_file option is specified but ks_file does not exist, then it is created. For more information on the JKS storetype, see the KeyStore Implementation section in KeyStore aliases.
142
143Note that the input stream from the -keystore option is passed to the KeyStore.load method. If NONE is specified as the URL, then a null stream is passed to the KeyStore.load method. NONE should be specified if the keystore is not file-based. For example, when it resides on a hardware token device.
144
145-storepass[:env| :file] argument
146The password that is used to protect the integrity of the keystore.
147
148If the modifier env or file is not specified, then the password has the value argument, which must be at least 6 characters long. Otherwise, the password is retrieved as follows:
149
150env: Retrieve the password from the environment variable named argument.
151
152file: Retrieve the password from the file named argument.
153
154Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).
155
156The password must be provided to all commands that access the keystore contents. For such commands, when the -storepass option is not provided at the command line, the user is prompted for it.
157
158When retrieving information from the keystore, the password is optional. If no password is specified, then the integrity of the retrieved information cannot be verified and a warning is displayed.
159
160-providername provider_name
161Used to identify a cryptographic service provider's name when listed in the security properties file.
162
163-providerclass provider_class_name
164Used to specify the name of a cryptographic service provider's master class file when the service provider is not listed in the security properties file.
165
166-providerarg provider_arg
167Used with the -providerclass option to represent an optional string input argument for the constructor of provider_class_name.
168
169-protected
170Either true or false. This value should be specified as true when a password must be specified by way of a protected authentication path such as a dedicated PIN reader.Because there are two keystores involved in the -importkeystore command, the following two options -srcprotected and -destprotected are provided for the source keystore and the destination keystore respectively.
171
172-ext {name{:critical} {=value}}
173Denotes an X.509 certificate extension. The option can be used in -genkeypair and -gencert to embed extensions into the certificate generated, or in -certreq to show what extensions are requested in the certificate request. The option can appear multiple times. The name argument can be a supported extension name (see Named Extensions) or an arbitrary OID number. The value argument, when provided, denotes the argument for the extension. When value is omitted, that means that the default value of the extension or the extension requires no argument. The :critical modifier, when provided, means the extension's isCritical attribute is true; otherwise, it is false. You can use :c in place of :critical.
174
175Named Extensions
176The keytool command supports these named extensions. The names are not case-sensitive).
177
178BC or BasicContraints
179Values: The full form is: ca:{true|false}[,pathlen:<len>] or <len>, which is short for ca:true,pathlen:<len>. When <len> is omitted, you have ca:true.
180
181KU or KeyUsage
182Values: usage(,usage)*, where usage can be one of digitalSignature, nonRepudiation (contentCommitment), keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly. The usage argument can be abbreviated with the first few letters (dig for digitalSignature) or in camel-case style (dS for digitalSignature or cRLS for cRLSign), as long as no ambiguity is found. The usage values are case-sensitive.
183
184EKU or ExtendedKeyUsage
185Values: usage(,usage)*, where usage can be one of anyExtendedKeyUsage, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning, or any OID string. The usage argument can be abbreviated with the first few letters or in camel-case style, as long as no ambiguity is found. The usage values are case-sensitive.
186
187SAN or SubjectAlternativeName
188Values: type:value(,type:value)*, where type can be EMAIL, URI, DNS, IP, or OID. The value argument is the string format value for the type.
189
190IAN or IssuerAlternativeName
191Values: Same as SubjectAlternativeName.
192
193SIA or SubjectInfoAccess
194Values: method:location-type:location-value (,method:location-type:location-value)*, where method can be timeStamping, caRepository or any OID. The location-type and location-value arguments can be any type:value supported by the SubjectAlternativeName extension.
195
196AIA or AuthorityInfoAccess
197Values: Same as SubjectInfoAccess. The method argument can be ocsp,caIssuers, or any OID.
198
199When name is OID, the value is the hexadecimal dumped DER encoding of the extnValue for the extension excluding the OCTET STRING type and length bytes. Any extra character other than standard hexadecimal numbers (0-9, a-f, A-F) are ignored in the HEX string. Therefore, both 01:02:03:04 and 01020304 are accepted as identical values. When there is no value, the extension has an empty value field.
200
201A special name honored, used in -gencert only, denotes how the extensions included in the certificate request should be honored. The value for this name is a comma separated list of all (all requested extensions are honored), name{:[critical|non-critical]} (the named extension is honored, but using a different isCritical attribute) and -name (used with all, denotes an exception). Requested extensions are not honored by default.
202
203If, besides the -ext honored option, another named or OID -ext option is provided, this extension is added to those already honored. However, if this name (or OID) also appears in the honored value, then its value and criticality overrides the one in the request.
204
205The subjectKeyIdentifier extension is always created. For non-self-signed certificates, the authorityKeyIdentifier is created.
206
207Note: Users should be aware that some combinations of extensions (and other certificate fields) may not conform to the Internet standard. See Certificate Conformance Warning.
208
209Commands
210-gencert
211{-rfc}: Output in RFC (Request For Comment) style
212
213{-infile infile}: Input file name
214
215{-outfile outfile}: Output file name
216
217{-alias alias}: Alias name of the entry to process
218
219{-sigalg sigalg}: Signature algorithm name
220
221{-dname dname}: Distinguished name
222
223{-startdate startdate}: Certificate validity start date and time
224
225{-ext ext}*: X.509 extension
226
227{-validity days}: Validity number of days
228
229[-keypass arg]: Key password
230
231{-keystore keystore}: Keystore name
232
233[-storepass arg]: Keystore password
234
235{-storetype type}: Keystore type
236
237{-providername name}: Provider name
238
239{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument. For example, if MyProvider is a legacy provider loaded via reflection,
240
241keytool -providerclass com.example.MyProvider ...
242{-providerpath list}: Provider classpath
243
244{-v}: Verbose output
245
246{-protected}: Password provided through a protected mechanism
247
248Generates a certificate as a response to a certificate request file (which can be created by the keytool -certreq command). The command reads the request from infile (if omitted, from the standard input), signs it using alias's private key, and outputs the X.509 certificate into outfile (if omitted, to the standard output). When-rfc is specified, the output format is Base64-encoded PEM; otherwise, a binary DER is created.
249
250The sigalg value specifies the algorithm that should be used to sign the certificate. The startdate argument is the start time and date that the certificate is valid. The valDays argument tells the number of days for which the certificate should be considered valid.
251
252When dname is provided, it is used as the subject of the generated certificate. Otherwise, the one from the certificate request is used.
253
254The ext value shows what X.509 extensions will be embedded in the certificate. Read Common Options for the grammar of -ext.
255
256The -gencert option enables you to create certificate chains. The following example creates a certificate, e1, that contains three certificates in its certificate chain.
257
258The following commands creates four key pairs named ca, ca1, ca2, and e1:
259
260keytool -alias ca -dname CN=CA -genkeypair
261keytool -alias ca1 -dname CN=CA -genkeypair
262keytool -alias ca2 -dname CN=CA -genkeypair
263keytool -alias e1 -dname CN=E1 -genkeypair
264The following two commands create a chain of signed certificates; ca signs ca1 and ca1 signs ca2, all of which are self-issued:
265
266keytool -alias ca1 -certreq |
267 keytool -alias ca -gencert -ext san=dns:ca1 |
268 keytool -alias ca1 -importcert
269
270keytool -alias ca2 -certreq |
271 $KT -alias ca1 -gencert -ext san=dns:ca2 |
272 $KT -alias ca2 -importcert
273The following command creates the certificate e1 and stores it in the file e1.cert, which is signed by ca2. As a result, e1 should contain ca, ca1, and ca2 in its certificate chain:
274
275keytool -alias e1 -certreq | keytool -alias ca2 -gencert > e1.cert
276-genkeypair
277{-alias alias}: Alias name of the entry to process
278
279{-keyalg alg}: Key algorithm name
280
281{-keysize size}: Key bit size
282
283{-sigalg alg}: Signature algorithm name
284
285-destalias alias: Destination alias
286
287[-dname name]: Distinguished name
288
289{-startdate date}: Certificate validity start date and time
290
291[-ext value]*: X.509 extension
292
293{-validity days}: Validity number of days
294
295[-keypass arg]: Key password
296
297{-keystore keystore}: Keystore name
298
299[-storepass arg]: Keystore password
300
301{-storetype type}: Keystore type
302
303{-providername name}: Provider name
304
305{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
306
307{-providerpath list}: Provider classpath
308
309{-v}: Verbose output
310
311{-protected}: Password provided through a protected mechanism
312
313Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
314
315The keyalg value specifies the algorithm to be used to generate the key pair, and the keysize value specifies the size of each key to be generated. The sigalg value specifies the algorithm that should be used to sign the self-signed certificate. This algorithm must be compatible with the keyalg value.
316
317The dname value specifies the X.500 Distinguished Name to be associated with the value of alias, and is used as the issuer and subject fields in the self-signed certificate. If no distinguished name is provided at the command line, then the user is prompted for one.
318
319The value of keypass is a password used to protect the private key of the generated key pair. If no password is provided, then the user is prompted for it. If you press the Return key at the prompt, then the key password is set to the same password as the keystore password. The keypass value must be at least 6 characters.
320
321The value of startdate specifies the issue time of the certificate, also known as the "Not Before" value of the X.509 certificate's Validity field.
322
323The option value can be set in one of these two forms:
324
325([+-]nnn[ymdHMS])+
326
327[yyyy/mm/dd] [HH:MM:SS]
328
329With the first form, the issue time is shifted by the specified value from the current time. The value is a concatenation of a sequence of subvalues. Inside each subvalue, the plus sign (+) means shift forward, and the minus sign (-) means shift backward. The time to be shifted is nnn units of years, months, days, hours, minutes, or seconds (denoted by a single character of y, m, d, H, M, or S respectively). The exact value of the issue time is calculated using the java.util.GregorianCalendar.add(int field, int amount) method on each subvalue, from left to right. For example, by specifying, the issue time will be:
330
331Calendar c = new GregorianCalendar();
332c.add(Calendar.YEAR, -1);
333c.add(Calendar.MONTH, 1);
334c.add(Calendar.DATE, -1);
335return c.getTime()
336With the second form, the user sets the exact issue time in two parts, year/month/day and hour:minute:second (using the local time zone). The user can provide only one part, which means the other part is the same as the current date (or time). The user must provide the exact number of digits as shown in the format definition (padding with 0 when shorter). When both the date and time are provided, there is one (and only one) space character between the two parts. The hour should always be provided in 24 hour format.
337
338When the option is not provided, the start date is the current time. The option can be provided at most once.
339
340The value of valDays specifies the number of days (starting at the date specified by -startdate, or the current date when -startdate is not specified) for which the certificate should be considered valid.
341
342This command was named -genkey in earlier releases. The old name is still supported in this release. The new name, -genkeypair, is preferred going forward.
343
344-genseckey
345{-alias alias}: Alias name of the entry to process
346
347[-keypass arg] : Key password
348
349{-keyalg alg}: Key algorithm name
350
351{-keysize size}: Key bit size
352
353{-keystore keystore}: Keystore name
354
355[-storepass arg]: Keystore password
356
357{-storetype type}: Keystore type
358
359{-providername name}: Provider name
360
361{-providerclass class [providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
362
363{-providerpath list}: Provider classpath
364
365{-v}: Verbose output
366
367{-protected}: Password provided through a protected mechanism
368
369Generates a secret key and stores it in a new KeyStore.SecretKeyEntry identified by alias.
370
371The value of keyalg specifies the algorithm to be used to generate the secret key, and the value of keysize specifies the size of the key to be generated. The keypass value is a password that protects the secret key. If no password is provided, then the user is prompted for it. If you press the Return key at the prompt, then the key password is set to the same password that is used for the keystore. The keypass value must be at least 6 characters.
372
373-importcert
374{-noprompt}: Do not prompt
375
376{-trustcacerts}: Trust certificates from cacerts
377
378{-protected}: Password is provided through protected mechanism
379
380{-alias alias}: Alias name of the entry to process
381
382{-file file}: Input file name
383
384[-keypass arg]: Key password
385
386{-keystore keystore}: Keystore name
387
388[-storepass arg]: Keystore password
389
390{-storetype type}: Keystore type
391
392{-providername name}: Provider name
393
394{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
395
396{-providerpath list}: Provider classpath
397
398{-v}: Verbose output
399
400Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is specified, then the certificate or certificate chain is read from stdin.
401
402The keytool command can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with -----BEGIN, and bounded at the end by a string that starts with -----END.
403
404You import a certificate for two reasons: To add it to the list of trusted certificates, and to import a certificate reply received from a certificate authority (CA) as the result of submitting a Certificate Signing Request to that CA (see the -certreq option in Commands).
405
406Which type of import is intended is indicated by the value of the -alias option. If the alias does not point to a key entry, then the keytool command assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If the alias does already exist, then the keytool command outputs an error because there is already a trusted certificate for that alias, and does not import the certificate. If the alias points to a key entry, then the keytool command assumes you are importing a certificate reply.
407
408-importpassword
409{-alias alias}: Alias name of the entry to process
410
411[-keypass arg]: Key password
412
413{-keyalg alg}: Key algorithm name
414
415{-keysize size}: Key bit size
416
417{-keystore keystore}: Keystore name
418
419[-storepass arg]: Keystore password
420
421{-storetype type}: Keystore type
422
423{-providername name}: Provider name
424
425{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
426
427{-providerpath list}: Provider classpath
428
429{-v}: Verbose output
430
431{-protected}: Password provided through a protected mechanism
432
433Imports a passphrase and stores it in a new KeyStore.SecretKeyEntry identified by alias. The passphrase may be supplied via the standard input stream; otherwise the user is prompted for it. keypass is a password used to protect the imported passphrase. If no password is provided, the user is prompted for it. If you press the Return key at the prompt, the key password is set to the same password as that used for the keystore. keypass must be at least 6 characters long.
434
435-importkeystore
436{-srckeystore keystore}: Source keystore name
437
438{-destkeystore keystore}: Destination keystore name
439
440{-srcstoretype type}: Source keystore type
441
442{-deststoretype type}: Destination keystore type
443
444[-srcstorepass arg]: Source keystore password
445
446[-deststorepass arg]: Destination keystore password
447
448{-srcprotected Source keystore password protected
449
450{-srcprovidername name}: Source keystore provider name
451
452{-destprotected}: Destination keystore password protected
453
454{-destprovidername name}: Destination keystore provider name
455
456{-srcalias alias}: Source alias
457
458{-destalias alias}: Destination alias
459
460[-srckeypass arg]: Source key password
461
462[-destkeypass arg]: Destination key password
463
464{-noprompt}: Do not prompt
465
466{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument
467
468{-providerpath list}: Provider classpath
469
470{-v}: Verbose output
471
472Imports a single entry or all entries from a source keystore to a destination keystore.
473
474When the -srcalias option is provided, the command imports the single entry identified by the alias to the destination keystore. If a destination alias is not provided with destalias, then srcalias is used as the destination alias. If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. The destination entry is protected with destkeypass. If destkeypass is not provided, then the destination entry is protected with the source entry password. For example, most third-party tools require storepass and keypass in a PKCS #12 keystore to be the same. In order to create a PKCS #12 keystore for these tools, always specify a -destkeypass to be the same as -deststorepass.
475
476If the -srcalias option is not provided, then all entries in the source keystore are imported into the destination keystore. Each destination entry is stored under the alias from the source entry. If the source entry is protected by a password, then srcstorepass is used to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. If a source keystore entry type is not supported in the destination keystore, or if an error occurs while storing an entry into the destination keystore, then the user is prompted whether to skip the entry and continue or to quit. The destination entry is protected with the source entry password.
477
478If the destination alias already exists in the destination keystore, then the user is prompted to either overwrite the entry or to create a new entry under a different alias name.
479
480If the -noprompt option is provided, then the user is not prompted for a new destination alias. Existing entries are overwritten with the destination alias name. Entries that cannot be imported are skipped and a warning is displayed.
481
482-printcertreq
483{-file file}: Input file name
484
485{-v}: Verbose output
486
487Prints the content of a PKCS #10 format certificate request, which can be generated by the keytool -certreq command. The command reads the request from file. If there is no file, then the request is read from the standard input.
488
489-certreq
490{-alias alias}: Alias name of the entry to process
491
492{-sigalg alg}: Signature algorithm name
493
494{-file file}: Output file name
495
496[-keypass arg]: Key password
497
498{-keystore keystore}: Keystore name
499
500{-dname name}: Distinguished name
501
502[-storepass arg]: Keystore password
503
504{-storetype type}: Keystore type
505
506{-providername name}: Provider name
507
508{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
509
510{-providerpath list}: Provider classpath
511
512{-v}: Verbose output
513
514{-protected }: Password provided through a protected mechanism
515
516Generates a Certificate Signing Request (CSR) using the PKCS #10 format.
517
518A CSR is intended to be sent to a certificate authority (CA). The CA authenticates the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
519
520The private key associated with alias is used to create the PKCS #10 certificate request. To access the private key, the correct password must be provided. If keypass is not provided at the command line and is different from the password used to protect the integrity of the keystore, then the user is prompted for it. If dname is provided, then it is used as the subject in the CSR. Otherwise, the X.500 Distinguished Name associated with alias is used.
521
522The sigalg value specifies the algorithm that should be used to sign the CSR.
523
524The CSR is stored in the file certreq_file. If no file is specified, then the CSR is output to stdout.
525
526Use the importcert command to import the response from the CA.
527
528-exportcert
529{-rfc}: Output in RFC style
530
531{-alias alias}: Alias name of the entry to process
532
533{-file file}: Output file name
534
535{-keystore keystore}: Keystore name
536
537[-storepass arg]: Keystore password
538
539{-storetype type}: Keystore type
540
541{-providername name}: Provider name
542
543{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
544
545{-providerpath list}: Provider classpath
546
547{-v }: Verbose output
548
549{-protected}: Password provided through a protected mechanism
550
551Reads from the keystore the certificate associated with alias and stores it in the cert_file file. When no file is specified, the certificate is output to stdout.
552
553The certificate is by default output in binary encoding. If the -rfc option is specified, then the output in the printable encoding format defined by the Internet RFC 1421 Certificate Encoding Standard.
554
555If alias refers to a trusted certificate, then that certificate is output. Otherwise, alias refers to a key entry with an associated certificate chain. In that case, the first certificate in the chain is returned. This certificate authenticates the public key of the entity addressed by alias.
556
557This command was named -export in earlier releases. The old name is still supported in this release. The new name, -exportcert, is preferred going forward.
558
559-list
560{-rfc}: Output in RFC style
561
562{-alias alias}: Alias name of the entry to process
563
564{-keystore keystore}: Keystore name
565
566[-storepass arg]: Keystore password
567
568{-storetype type}: Keystore type
569
570{-providername name}: Provider name
571
572{-providerclass class [-providerarg arg] }: Add security provider by fully qualified class name with an optional configure argument.
573
574{-providerpath list}: Provider classpath
575
576{-v}: Verbose output
577
578{-protected}: Password provided through a protected mechanism
579
580Prints to stdout the contents of the keystore entry identified by alias. If no alias is specified, then the contents of the entire keystore are printed.
581
582This command by default prints the SHA1 fingerprint of a certificate. If the -v option is specified, then the certificate is printed in human-readable format, with additional information such as the owner, issuer, serial number, and any extensions. If the -rfc option is specified, then the certificate contents are printed using the printable encoding format, as defined by the Internet RFC 1421 Certificate Encoding Standard.
583
584You cannot specify both -v and -rfc.
585
586-printcert
587{-rfc}: Output in RFC style
588
589{-file cert_file}: Input file name
590
591{-sslserver server[:port]}: Secure Sockets Layer (SSL) server host and port
592
593{-jarfile JAR_file}: Signed .jar file
594
595{-v}: Verbose output
596
597p>Reads the certificate from the file cert_file, the SSL server located at host:port, or the signed JAR file JAR_file (with the -jarfile option) and prints its contents in a human-readable format. When no port is specified, the standard HTTPS port 443 is assumed. Note that -sslserver and -file options cannot be provided at the same time. Otherwise, an error is reported. If neither option is specified, then the certificate is read from stdin.
598
599When -rfc is specified, the keytool command prints the certificate in PEM mode as defined by the Internet RFC 1421 Certificate Encoding standard. See Internet RFC 1421 Certificate Encoding Standard.
600
601If the certificate is read from a file or stdin, then it might be either binary encoded or in printable encoding format, as defined by the RFC 1421 Certificate Encoding standard.
602
603If the SSL server is behind a firewall, then the -J-Dhttps.proxyHost=proxyhost and -J-Dhttps.proxyPort=proxyport options can be specified on the command line for proxy tunneling. See Java Secure Socket Extension (JSSE) Reference Guide at
604http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
605
606Note: This option can be used independently of a keystore.
607
608-printcrl
609-file crl: Input file name
610
611{-v}: Verbose output
612
613Reads the Certificate Revocation List (CRL) from the file crl. A CRL is a list of digital certificates that were revoked by the CA that issued them. The CA generates the crl file.
614
615Note: This option can be used independently of a keystore.
616
617-storepasswd
618[-new arg]: New password
619
620{-keystore keystore}: Keystore name
621
622[-storepass arg]: Keystore password
623
624{-storetype type}: Keystore type
625
626{-providername name}: Provider name
627
628{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
629
630{-providerpath list}: Provider classpath
631
632{-v}: Verbose output
633
634Changes the password used to protect the integrity of the keystore contents. The new password is new_storepass, which must be at least 6 characters.
635
636-keypasswd
637{-alias alias}: Alias name of the entry to process
638
639[-keypass old_keypass]: Key password
640
641[-new new_keypass]: New password
642
643{-keystore keystore}: Keystore name
644
645{-storepass arg}: Keystore password
646
647{-storetype type}: Keystore type
648
649{-providername name}: Provider name
650
651{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
652
653{-providerpath list}: Provider classpath
654
655{-v}: Verbose output
656
657Changes the password under which the private/secret key identified by alias is protected, from old_keypass to new_keypass, which must be at least 6 characters.
658
659If the -keypass option is not provided at the command line, and the key password is different from the keystore password, then the user is prompted for it.
660
661If the -new option is not provided at the command line, then the user is prompted for it
662
663-delete
664[-alias alias]: Alias name of the entry to process
665
666{-keystore keystore}: Keystore name
667
668[-storepass arg]: Keystore password
669
670{-storetype type}: Keystore type
671
672{-providername name}: Provider name
673
674{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
675
676{-providerpath list}: Provider classpath
677
678{-v}: Verbose output
679
680{-protected}: Password provided through a protected mechanism
681
682Deletes from the keystore the entry identified by alias. The user is prompted for the alias, when no alias is provided at the command line.
683
684-changealias
685{-alias alias}: Alias name of the entry to process
686
687[-destalias alias]: Destination alias
688
689[-keypass arg]: Key password
690
691{-keystore keystore}: Keystore name
692
693[-storepass arg]: Keystore password
694
695{-storetype type}: Keystore type
696
697{-providername name}: Provider name
698
699{-providerclass class [-providerarg arg]}: Add security provider by fully qualified class name with an optional configure argument.
700
701{-providerpath list}: Provider classpath
702
703{-v}: Verbose output
704
705{-protected}: Password provided through a protected mechanism
706
707Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, then the command prompts for one. If the original entry is protected with an entry password, then the password can be supplied with the -keypass option. If no key password is provided, then the storepass (if provided) is attempted first. If the attempt fails, then the user is prompted for a password.
708
709-help
710Lists the basic commands and their options.
711
712For more information about a specific command, enter the following, where command_name is the name of the command: keytool -command_name -help.
713
714Examples
715This example walks through the sequence of steps to create a keystore for managing public/private key pair and certificates from trusted entities.
716
717Generate the Key Pair
718First, create a keystore and generate the key pair. You can use a command such as the following typed as a single line:
719
720keytool -genkeypair -dname "cn=Mark Jones, ou=Java, o=Oracle, c=US"
721 -alias business -keypass <new password for private key>
722 -keystore /working/mykeystore
723 -storepass <new password for keystore> -validity 180
724The command creates the keystore named mykeystore in the working directory (assuming it does not already exist), and assigns it the password specified by <new password for keystore>. It generates a public/private key pair for the entity whose distinguished name has a common name of Mark Jones, organizational unit of Java, organization of Oracle and two-letter country code of US. It uses the default DSA key generation algorithm to create the keys; both are 1024 bits.
725
726The command uses the default SHA1withDSA signature algorithm to create a self-signed certificate that includes the public key and the distinguished name information. The certificate is valid for 180 days, and is associated with the private key in a keystore entry referred to by the alias business. The private key is assigned the password specified by <new password for private key>.
727
728The command is significantly shorter when the option defaults are accepted. In this case, no options are required, and the defaults are used for unspecified options that have default values. You are prompted for any required values. You could have the following:
729
730keytool -genkeypair
731In this case, a keystore entry with the alias mykey is created, with a newly generated key pair and a certificate that is valid for 90 days. This entry is placed in the keystore named .keystore in your home directory. The keystore is created when it does not already exist. You are prompted for the distinguished name information, the keystore password, and the private key password.
732
733The rest of the examples assume you executed the -genkeypair command without options specified, and that you responded to the prompts with values equal to those specified in the first -genkeypair command. For example, a distinguished name of cn=Mark Jones, ou=Java, o=Oracle, c=US).
734
735Request a Signed Certificate from a CA
736Generating the key pair created a self-signed certificate. A certificate is more likely to be trusted by others when it is signed by a Certification Authority (CA). To get a CA signature, first generate a Certificate Signing Request (CSR), as follows:
737
738keytool -certreq -file MarkJ.csr
739This creates a CSR for the entity identified by the default alias mykey and puts the request in the file named MarkJ.csr. Submit this file to a CA, such as VeriSign. The CA authenticates you, the requestor (usually off-line), and returns a certificate, signed by them, authenticating your public key. In some cases, the CA returns a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.
740
741Import a Certificate for the CA
742You now need to replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.
743
744Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file. See -importcert in Commands.
745
746If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA.
747
748If the certificate reply is a single certificate, then you need a certificate for the issuing CA (the one that signed it). If that certificate is not self-signed, then you need a certificate for its signer, and so on, up to a self-signed root CA certificate.
749
750The cacerts keystore file ships with several VeriSign root CA certificates, so you probably will not need to import a VeriSign certificate as a trusted certificate in your keystore. But if you request a signed certificate from a different CA, and a certificate authenticating that CA's public key was not added to cacerts, then you must import a certificate from the CA as a trusted certificate.
751
752A certificate from a CA is usually either self-signed or signed by another CA, in which case you need a certificate that authenticates that CA's public key. Suppose company ABC, Inc., is a CA, and you obtain a file named ABCCA.cer that is supposed to be a self-signed certificate from ABC, that authenticates that CA's public key. Be careful to ensure the certificate is valid before you import it as a trusted certificate. View it first with the keytool -printcert command or the keytool -importcert command without the -noprompt option, and make sure that the displayed certificate fingerprints match the expected ones. You can call the person who sent the certificate, and compare the fingerprints that you see with the ones that they show or that a secure public key repository shows. Only when the fingerprints are equal is it guaranteed that the certificate was not replaced in transit with somebody else's (for example, an attacker's) certificate. If such an attack takes place, and you did not check the certificate before you imported it, then you would be trusting anything the attacker has signed.
753
754If you trust that the certificate is valid, then you can add it to your keystore with the following command:
755
756keytool -importcert -alias abc -file ABCCA.cer
757This command creates a trusted certificate entry in the keystore, with the data from the file ABCCA.cer, and assigns the alias abc to the entry.
758
759Import the Certificate Reply from the CA
760After you import a certificate that authenticates the public key of the CA you submitted your certificate signing request to (or there is already such a certificate in the cacerts file), you can import the certificate reply and replace your self-signed certificate with a certificate chain. This chain is the one returned by the CA in response to your request (when the CA reply is a chain), or one constructed (when the CA reply is a single certificate) using the certificate reply and trusted certificates that are already available in the keystore where you import the reply or in the cacerts keystore file.
761
762For example, if you sent your certificate signing request to VeriSign, then you can import the reply with the following, which assumes the returned certificate is named VSMarkJ.cer:
763
764keytool -importcert -trustcacerts -file VSMarkJ.cer
765Export a Certificate That Authenticates the Public Key
766If you used the jarsigner command to sign a Java Archive (JAR) file, then clients that want to use the file will want to authenticate your signature. One way the clients can authenticate you is by first importing your public key certificate into their keystore as a trusted entry.
767
768You can export the certificate and supply it to your clients. As an example, you can copy your certificate to a file named MJ.cer with the following command that assumes the entry has an alias of mykey:
769
770keytool -exportcert -alias mykey -file MJ.cer
771With the certificate and the signed JAR file, a client can use the jarsigner command to authenticate your signature.
772
773Import Keystore
774The command importkeystore is used to import an entire keystore into another keystore, which means all entries from the source keystore, including keys and certificates, are all imported to the destination keystore within a single command. You can use this command to import entries from a different type of keystore. During the import, all new entries in the destination keystore will have the same alias names and protection passwords (for secret keys and private keys). If the keytool command cannot recover the private keys or secret keys from the source keystore, then it prompts you for a password. If it detects alias duplication, then it asks you for a new alias, and you can specify a new alias or simply allow the keytool command to overwrite the existing one.
775
776For example, to import entries from a typical JKS type keystore key.jks into a PKCS #11 type hardware-based keystore, use the command:
777
778keytool -importkeystore
779 -srckeystore key.jks -destkeystore NONE
780 -srcstoretype JKS -deststoretype PKCS11
781 -srcstorepass <src keystore password>
782 -deststorepass <destination keystore pwd>
783The importkeystore command can also be used to import a single entry from a source keystore to a destination keystore. In this case, besides the options you see in the previous example, you need to specify the alias you want to import. With the -srcalias option specified, you can also specify the destination alias name in the command line, as well as protection password for a secret/private key and the destination protection password you want. The following command demonstrates this:
784
785keytool -importkeystore
786 -srckeystore key.jks -destkeystore NONE
787 -srcstoretype JKS -deststoretype PKCS11
788 -srcstorepass <src keystore password>
789 -deststorepass <destination keystore pwd>
790 -srcalias myprivatekey -destalias myoldprivatekey
791 -srckeypass <source entry password>
792 -destkeypass <destination entry password>
793 -noprompt
794Generate Certificates for an SSL Server
795The following are keytool commands to generate key pairs and certificates for three entities: Root CA (root), Intermediate CA (ca), and SSL server (server). Ensure that you store all the certificates in the same keystore. In these examples, RSA is the recommended the key algorithm.
796
797keytool -genkeypair -keystore root.jks -alias root -ext bc:c
798keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c
799keytool -genkeypair -keystore server.jks -alias server
800
801keytool -keystore root.jks -alias root -exportcert -rfc > root.pem
802
803keytool -storepass <storepass> -keystore ca.jks -certreq -alias ca |
804 keytool -storepass <storepass> -keystore root.jks
805 -gencert -alias root -ext BC=0 -rfc > ca.pem
806keytool -keystore ca.jks -importcert -alias ca -file ca.pem
807
808keytool -storepass <storepass> -keystore server.jks -certreq -alias server |
809 keytool -storepass <storepass> -keystore ca.jks -gencert -alias ca
810 -ext ku:c=dig,kE -rfc > server.pem
811cat root.pem ca.pem server.pem |
812 keytool -keystore server.jks -importcert -alias server
813Terms
814Keystore
815A keystore is a storage facility for cryptographic keys and certificates.
816
817Keystore entries
818Keystores can have different types of entries. The two most applicable entry types for the keytool command include the following:
819
820Key entries: Each entry holds very sensitive cryptographic key information, which is stored in a protected format to prevent unauthorized access. Typically, a key stored in this type of entry is a secret key, or a private key accompanied by the certificate chain for the corresponding public key. See Certificate Chains. The keytool command can handle both types of entries, while the jarsigner tool only handles the latter type of entry, that is private keys and their associated certificate chains.
821
822Trusted certificate entries: Each entry contains a single public key certificate that belongs to another party. The entry is called a trusted certificate because the keystore owner trusts that the public key in the certificate belongs to the identity identified by the subject (owner) of the certificate. The issuer of the certificate vouches for this, by signing the certificate.
823
824KeyStore aliases
825All keystore entries (key and trusted certificate entries) are accessed by way of unique aliases.
826
827An alias is specified when you add an entity to the keystore with the -genseckey command to generate a secret key, the -genkeypair command to generate a key pair (public and private key), or the -importcert command to add a certificate or certificate chain to the list of trusted certificates. Subsequent keytool commands must use this same alias to refer to the entity.
828
829For example, you can use the alias duke to generate a new public/private key pair and wrap the public key into a self-signed certificate with the following command. See Certificate Chains.
830
831keytool -genkeypair -alias duke -keypass dukekeypasswd
832This example specifies an initial password of dukekeypasswd required by subsequent commands to access the private key associated with the alias duke. If you later want to change Duke's private key password, use a command such as the following:
833
834keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass
835This changes the password from dukekeypasswd to newpass. A password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system. If you do not specify a required password option on a command line, then you are prompted for it.
836
837KeyStore implementation
838The KeyStore class provided in the java.security package supplies well-defined interfaces to access and modify the information in a keystore. It is possible for there to be multiple different concrete implementations, where each implementation is that for a particular type of keystore.
839
840Currently, two command-line tools (keytool and jarsigner) and a GUI-based tool named Policy Tool make use of keystore implementations. Because the KeyStore class is public, users can write additional security applications that use it.
841
842There is a built-in default implementation, provided by Oracle. It implements the keystore as a file with a proprietary keystore type (format) named JKS. It protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.
843
844Keystore implementations are provider-based. More specifically, the application interfaces supplied by KeyStore are implemented in terms of a Service Provider Interface (SPI). That is, there is a corresponding abstract KeystoreSpi class, also in the java.security package, which defines the Service Provider Interface methods that providers must implement. The term provider refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API. To provide a keystore implementation, clients must implement a provider and supply a KeystoreSpi subclass implementation, as described in How to Implement a Provider in the Java Cryptography Architecture at
845http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html
846
847Applications can choose different types of keystore implementations from different providers, using the getInstance factory method supplied in the KeyStore class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private/secret keys in the keystore and the integrity of the keystore. Keystore implementations of different types are not compatible.
848
849The keytool command works on any file-based keystore implementation. It treats the keystore location that is passed to it at the command line as a file name and converts it to a FileInputStream, from which it loads the keystore information.)The jarsigner and policytool commands can read a keystore from any location that can be specified with a URL.
850
851For keytool and jarsigner, you can specify a keystore type at the command line, with the -storetype option. For Policy Tool, you can specify a keystore type with the Keystore menu.
852
853If you do not explicitly specify a keystore type, then the tools choose a keystore implementation based on the value of the keystore.type property specified in the security properties file. The security properties file is called java.security, and resides in the security properties directory, java.home\lib\security on Windows and java.home/lib/security on Oracle Solaris, where java.home is the runtime environment directory. The jre directory in the SDK or the top-level directory of the Java Runtime Environment (JRE).
854
855Each tool gets the keystore.type value and then examines all the currently installed providers until it finds one that implements a keystores of that type. It then uses the keystore implementation from that provider.The KeyStore class defines a static method named getDefaultType that lets applications and applets retrieve the value of the keystore.type property. The following line of code creates an instance of the default keystore type as specified in the keystore.type property:
856
857KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
858The default keystore type is jks, which is the proprietary type of the keystore implementation provided by Oracle. This is specified by the following line in the security properties file:
859
860keystore.type=jks
861To have the tools utilize a keystore implementation other than the default, you can change that line to specify a different keystore type. For example, if you have a provider package that supplies a keystore implementation for a keystore type called pkcs12, then change the line to the following:
862
863keystore.type=pkcs12
864Note: Case does not matter in keystore type designations. For example, JKS would be considered the same as jks.
865
866Certificate
867A certificate (or public-key certificate) is a digitally signed statement from one entity (the issuer), saying that the public key and some other information of another entity (the subject) has some specific value. The following terms are related to certificates:
868
869Public Keys: These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures.
870
871Digitally Signed: If some data is digitally signed, then it is stored with the identity of an entity and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entity's private key.
872
873Identity: A known way of addressing an entity. In some systems, the identity is the public key, and in others it can be anything from an Oracle Solaris UID to an email address to an X.509 distinguished name.
874
875Signature: A signature is computed over some data using the private key of an entity. The signer, which in the case of a certificate is also known as the issuer.
876
877Private Keys: These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it is supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems (also referred to as public key crypto systems). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures.
878
879Entity: An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.
880
881Public key cryptography requires access to users' public keys. In a large-scale networked environment, it is impossible to guarantee that prior relationships between communicating entities were established or that a trusted repository exists with all used public keys. Certificates were invented as a solution to this public key distribution problem. Now a Certification Authority (CA) can act as a trusted third party. CAs are entities such as businesses that are trusted to sign (issue) certificates for other entities. It is assumed that CAs only create valid and reliable certificates because they are bound by legal agreements. There are many public Certification Authorities, such as VeriSign, Thawte, Entrust, and so on.
882
883You can also run your own Certification Authority using products such as Microsoft Certificate Server or the Entrust CA product for your organization. With the keytool command, it is possible to display, import, and export certificates. It is also possible to generate self-signed certificates.
884
885The keytool command currently handles X.509 certificates.
886
887X.509 Certificates
888The X.509 standard defines what information can go into a certificate and describes how to write it down (the data format). All the data in a certificate is encoded with two related standards called ASN.1/DER. Abstract Syntax Notation 1 describes data. The Definite Encoding Rules describe a single way to store and transfer that data.
889
890All X.509 certificates have the following data, in addition to the signature:
891
892Version: This identifies which version of the X.509 standard applies to this certificate, which affects what information can be specified in it. Thus far, three versions are defined. The keytool command can import and export v1, v2, and v3 certificates. It generates v3 certificates.
893
894X.509 Version 1 has been available since 1988, is widely deployed, and is the most generic.
895
896X.509 Version 2 introduced the concept of subject and issuer unique identifiers to handle the possibility of reuse of subject or issuer names over time. Most certificate profile documents strongly recommend that names not be reused and that certificates should not make use of unique identifiers. Version 2 certificates are not widely used.
897
898X.509 Version 3 is the most recent (1996) and supports the notion of extensions where anyone can define an extension and include it in the certificate. Some common extensions are: KeyUsage (limits the use of the keys to particular purposes such as signing-only) and AlternativeNames (allows other identities to also be associated with this public key, for example. DNS names, email addresses, IP addresses). Extensions can be marked critical to indicate that the extension should be checked and enforced or used. For example, if a certificate has the KeyUsage extension marked critical and set to keyCertSign, then when this certificate is presented during SSL communication, it should be rejected because the certificate extension indicates that the associated private key should only be used for signing certificates and not for SSL use.
899
900Serial number: The entity that created the certificate is responsible for assigning it a serial number to distinguish it from other certificates it issues. This information is used in numerous ways. For example, when a certificate is revoked its serial number is placed in a Certificate Revocation List (CRL).
901
902Signature algorithm identifier: This identifies the algorithm used by the CA to sign the certificate.
903
904Issuer name: The X.500 Distinguished Name of the entity that signed the certificate. See X.500 Distinguished Names. This is typically a CA. Using this certificate implies trusting the entity that signed this certificate. In some cases, such as root or top-level CA certificates, the issuer signs its own certificate.
905
906Validity period: Each certificate is valid only for a limited amount of time. This period is described by a start date and time and an end date and time, and can be as short as a few seconds or almost as long as a century. The validity period chosen depends on a number of factors, such as the strength of the private key used to sign the certificate, or the amount one is willing to pay for a certificate. This is the expected period that entities can rely on the public value, when the associated private key has not been compromised.
907
908Subject name: The name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. This is the X.500 Distinguished Name (DN) of the entity. See X.500 Distinguished Names. For example,
909
910CN=Java Duke, OU=Java Software Division, O=Oracle Corporation, C=US
911These refer to the subject's common name (CN), organizational unit (OU), organization (O), and country (C).
912
913Subject public key information: This is the public key of the entity being named with an algorithm identifier that specifies which public key crypto system this key belongs to and any associated key parameters.
914
915Certificate Chains
916The keytool command can create and manage keystore key entries that each contain a private key and an associated certificate chain. The first certificate in the chain contains the public key that corresponds to the private key.
917
918When keys are first generated, the chain starts off containing a single element, a self-signed certificate. See -genkeypair in Commands. A self-signed certificate is one for which the issuer (signer) is the same as the subject. The subject is the entity whose public key is being authenticated by the certificate. Whenever the -genkeypair command is called to generate a new public/private key pair, it also wraps the public key into a self-signed certificate.
919
920Later, after a Certificate Signing Request (CSR) was generated with the -certreq command and sent to a Certification Authority (CA), the response from the CA is imported with -importcert, and the self-signed certificate is replaced by a chain of certificates. See the -certreq and -importcert options in Commands. At the bottom of the chain is the certificate (reply) issued by the CA authenticating the subject's public key. The next certificate in the chain is one that authenticates the CA's public key.
921
922In many cases, this is a self-signed certificate, which is a certificate from the CA authenticating its own public key, and the last certificate in the chain. In other cases, the CA might return a chain of certificates. In this case, the bottom certificate in the chain is the same (a certificate signed by the CA, authenticating the public key of the key entry), but the second certificate in the chain is a certificate signed by a different CA that authenticates the public key of the CA you sent the CSR to. The next certificate in the chain is a certificate that authenticates the second CA's key, and so on, until a self-signed root certificate is reached. Each certificate in the chain (after the first) authenticates the public key of the signer of the previous certificate in the chain.
923
924Many CAs only return the issued certificate, with no supporting chain, especially when there is a flat hierarchy (no intermediates CAs). In this case, the certificate chain must be established from trusted certificate information already stored in the keystore.
925
926A different reply format (defined by the PKCS #7 standard) includes the supporting certificate chain in addition to the issued certificate. Both reply formats can be handled by the keytool command.
927
928The top-level (root) CA certificate is self-signed. However, the trust into the root's public key does not come from the root certificate itself, but from other sources such as a newspaper. This is because anybody could generate a self-signed certificate with the distinguished name of, for example, the VeriSign root CA. The root CA public key is widely known. The only reason it is stored in a certificate is because this is the format understood by most tools, so the certificate in this case is only used as a vehicle to transport the root CA's public key. Before you add the root CA certificate to your keystore, you should view it with the -printcert option and compare the displayed fingerprint with the well-known fingerprint obtained from a newspaper, the root CA's Web page, and so on.
929
930The cacerts Certificates File
931A certificates file named cacerts resides in the security properties directory, java.home\lib\security on Windows and java.home/lib/security on Oracle Solaris, where java.home is the runtime environment's directory, which would be the jre directory in the SDK or the top-level directory of the JRE.
932
933The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file with the keytool command by specifying jks as the keystore type. The cacerts keystore file ships with a default set of root CA certificates. You can list the default certificates with the following command:
934
935keytool -list -keystore java.home/lib/security/cacerts
936The initial password of the cacerts keystore file is changeit. System administrators should change that password and the default access permission of that file upon installing the SDK.
937
938Note: It is important to verify your cacerts file. Because you trust the CAs in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust. It is your responsibility to verify the trusted root CA certificates bundled in the cacerts file and make your own trust decisions.
939
940To remove an untrusted CA certificate from the cacerts file, use the delete option of the keytool command. You can find the cacerts file in the JRE installation directory. Contact your system administrator if you do not have permission to edit this file
941
942Internet RFC 1421 Certificate Encoding Standard
943Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as Base64 encoding, makes it easy to export certificates to other applications by email or through some other mechanism.
944
945Certificates read by the -importcert and -printcert commands can be in either this format or binary encoded. The -exportcert command by default outputs a certificate in binary encoding, but will instead output a certificate in the printable encoding format, when the -rfc option is specified.
946
947The -list command by default prints the SHA1 fingerprint of a certificate. If the -v option is specified, then the certificate is printed in human-readable format. If the -rfc option is specified, then the certificate is output in the printable encoding format.
948
949In its printable encoding format, the encoded certificate is bounded at the beginning and end by the following text:
950
951-----BEGIN CERTIFICATE-----
952
953encoded certificate goes here.
954
955-----END CERTIFICATE-----
956X.500 Distinguished Names
957X.500 Distinguished Names are used to identify entities, such as those that are named by the subject and issuer (signer) fields of X.509 certificates. The keytool command supports the following subparts:
958
959commonName: The common name of a person such as Susan Jones.
960
961organizationUnit: The small organization (such as department or division) name. For example, Purchasing.
962
963localityName: The locality (city) name, for example, Palo Alto.
964
965stateName: State or province name, for example, California.
966
967country: Two-letter country code, for example, CH.
968
969When you supply a distinguished name string as the value of a -dname option, such as for the -genkeypair command, the string must be in the following format:
970
971CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode
972All the italicized items represent actual values and the previous keywords are abbreviations for the following:
973
974CN=commonName
975OU=organizationUnit
976O=organizationName
977L=localityName
978S=stateName
979C=country
980A sample distinguished name string is:
981
982CN=Mark Smith, OU=Java, O=Oracle, L=Cupertino, S=California, C=US
983A sample command using such a string is:
984
985keytool -genkeypair -dname "CN=Mark Smith, OU=Java, O=Oracle, L=Cupertino,
986S=California, C=US" -alias mark
987Case does not matter for the keyword abbreviations. For example, CN, cn, and Cn are all treated the same.
988
989Order matters; each subcomponent must appear in the designated order. However, it is not necessary to have all the subcomponents. You can use a subset, for example:
990
991CN=Steve Meier, OU=Java, O=Oracle, C=US
992If a distinguished name string value contains a comma, then the comma must be escaped by a backslash (\) character when you specify the string on a command line, as in:
993
994cn=Peter Schuster, ou=Java\, Product Development, o=Oracle, c=US
995It is never necessary to specify a distinguished name string on a command line. When the distinguished name is needed for a command, but not supplied on the command line, the user is prompted for each of the subcomponents. In this case, a comma does not need to be escaped by a backslash (\).
996
997Warnings
998Importing Trusted Certificates Warning
999Important: Be sure to check a certificate very carefully before importing it as a trusted certificate.
1000
1001Windows Example:
1002
1003View the certificate first with the -printcert command or the -importcert command without the -noprompt option. Ensure that the displayed certificate fingerprints match the expected ones. For example, suppose sends or emails you a certificate that you put it in a file named \tmp\cert. Before you consider adding the certificate to your list of trusted certificates, you can execute a -printcert command to view its fingerprints, as follows:
1004
1005 keytool -printcert -file \tmp\cert
1006 Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
1007 Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
1008 Serial Number: 59092b34
1009 Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PST 1997
1010 Certificate Fingerprints:
1011 MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F
1012 SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE
1013 SHA256: 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90:
1014 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4
1015Oracle Solaris Example:
1016
1017View the certificate first with the -printcert command or the -importcert command without the -noprompt option. Ensure that the displayed certificate fingerprints match the expected ones. For example, suppose someone sends or emails you a certificate that you put it in a file named /tmp/cert. Before you consider adding the certificate to your list of trusted certificates, you can execute a -printcert command to view its fingerprints, as follows:
1018
1019 keytool -printcert -file /tmp/cert
1020 Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
1021 Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
1022 Serial Number: 59092b34
1023 Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PST 1997
1024 Certificate Fingerprints:
1025 MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F
1026 SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE
1027 SHA256: 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90:
1028 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4
1029Then call or otherwise contact the person who sent the certificate and compare the fingerprints that you see with the ones that they show. Only when the fingerprints are equal is it guaranteed that the certificate was not replaced in transit with somebody else's certificate such as an attacker's certificate. If such an attack took place, and you did not check the certificate before you imported it, then you would be trusting anything the attacker signed, for example, a JAR file with malicious class files inside.
1030
1031Note: It is not required that you execute a -printcert command before importing a certificate. This is because before you add a certificate to the list of trusted certificates in the keystore, the -importcert command prints out the certificate information and prompts you to verify it. You can then stop the import operation. However, you can do this only when you call the -importcert command without the -noprompt option. If the -noprompt option is specified, then there is no interaction with the user.
1032
1033Passwords Warning
1034Most commands that operate on a keystore require the store password. Some commands require a private/secret key password. Passwords can be specified on the command line in the -storepass and -keypass options. However, a password should not be specified on a command line or in a script unless it is for testing, or you are on a secure system. When you do not specify a required password option on a command line, you are prompted for it.
1035
1036Certificate Conformance Warning
1037The Internet standard RFC 5280 has defined a profile on conforming X.509 certificates, which includes what values and value combinations are valid for certificate fields and extensions. See the standard at
1038http://tools.ietf.org/rfc/rfc5280.txt
1039
1040The keytool command does not enforce all of these rules so it can generate certificates that do not conform to the standard. Certificates that do not conform to the standard might be rejected by JRE or other applications. Users should ensure that they provide the correct options for -dname, -ext, and so on.
1041
1042Notes
1043Import a New Trusted Certificate
1044Before you add the certificate to the keystore, the keytool command verifies it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.
1045
1046If the -trustcacerts option was specified, then additional certificates are considered for the chain of trust, namely the certificates in a file named cacerts.
1047
1048If the keytool command fails to establish a trust path from the certificate to be imported up to a self-signed certificate (either from the keystore or the cacerts file), then the certificate information is printed, and the user is prompted to verify it by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the certificate owner. Be very careful to ensure the certificate is valid before importing it as a trusted certificate. See Importing Trusted Certificates Warning. The user then has the option of stopping the import operation. If the -noprompt option is specified, then there is no interaction with the user.
1049
1050Import a Certificate Reply
1051When you import a certificate reply, the certificate reply is validated with trusted certificates from the keystore, and optionally, the certificates configured in the cacerts keystore file when the -trustcacerts option is specified. See The cacerts Certificates File.
1052
1053The methods of determining whether the certificate reply is trusted are as follows:
1054
1055If the reply is a single X.509 certificate, then the keytool command attempts to establish a trust chain, starting at the certificate reply and ending at a self-signed certificate (belonging to a root CA). The certificate reply and the hierarchy of certificates is used to authenticate the certificate reply from the new certificate chain of aliases. If a trust chain cannot be established, then the certificate reply is not imported. In this case, the keytool command does not print the certificate and prompt the user to verify it, because it is very difficult for a user to determine the authenticity of the certificate reply.
1056
1057If the reply is a PKCS #7 formatted certificate chain or a sequence of X.509 certificates, then the chain is ordered with the user certificate first followed by zero or more CA certificates. If the chain ends with a self-signed root CA certificate and the -trustcacerts option was specified, the keytool command attempts to match it with any of the trusted certificates in the keystore or the cacerts keystore file. If the chain does not end with a self-signed root CA certificate and the -trustcacerts option was specified, the keytool command tries to find one from the trusted certificates in the keystore or the cacerts keystore file and add it to the end of the chain. If the certificate is not found and the -noprompt option is not specified, the information of the last certificate in the chain is printed, and the user is prompted to verify it.
1058
1059If the public key in the certificate reply matches the user's public key already stored with alias, then the old certificate chain is replaced with the new certificate chain in the reply. The old chain can only be replaced with a valid keypass, and so the password used to protect the private key of the entry is supplied. If no password is provided, and the private key password is different from the keystore password, the user is prompted for it.
1060
1061This command was named -import in earlier releases. This old name is still supported in this release. The new name, -importcert, is preferred going forward.
1062
1063See Also
1064jar(1)
1065
1066jarsigner(1)
1067
1068Trail: Security Features in Java SE at
1069http://docs.oracle.com/javase/tutorial/security/index.html