What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to create an SSL certificate via a response from a Certificate Signing Request (CSR). In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.
Use case for creating an SSL certificate from a CSR.
When operating a local Certification Authority (CA) Java keytool can be used to accept CSR’s and create and sign a certificate as the response. It is also useful when creating the certificate chain within the same keystore. Again, while this is not how commercial CA’s will operate, it can be useful, convenient, and effective when operating a local CA.
What keytool command do I use to create SSL certificate?
When using the java keytool, there are two prerequisites:
- Generate a key pair
- Generate a Certificate Signing Request (CSR) and save it to a file.
After successfully creating the SSL certificate, you will then need to import it into your keystore.
Use this command to create an SSL certificate using the java keytool. The result will be a keystore containing a signed SSL certificate.
keytool -gencert \
-rfc \
-infile example.csr \
-outfile example.crt \
-alias example \
-sigalg SHA256withRSA \
-dname CN=example \
-startdate "2019/01/19 00:00:00" \
-validity 365 \
-keypass changeit \
-keystore example.p12 \
-storepass changeit \
-storetype PKCS12 \
-v
Java keytool options:
-rfc
– Output certificate file in PEM format.
-infile
– The Certificate Signing Request (CSR) to be signed.
-outfile
– The signed certificate.
-alias
– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-sigalg
– This value is generally derived from the algorithm of the private key, but may be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.
-dname
– This is the distinguished name, also know as the subject of the certificate.
-startdate
– The not_before value of the generated certificate. It can be specified in two parts, the date and the time. If both parts are specified, it must be surrounded by quotes.
-validity
– The validity period in days. This value will compute the not_after value from the not_before value.
-keypass
– The private key password specified by the alias. If not entered, you will either prompted or it will default to the -storepass value if set.
-keystore
– The filename of the keystore.
-storepass
– The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype
– Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.
-v
– Verbose output.

Leave a Reply