• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

How to generate a keystore with java keytool

December 20, 2019 by Mister PKI Leave a Comment

What is java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates, as well as generate a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

What keytool command do I use to generate a keystore and key pair?

Use this command to generate an asymmetric key pair and generate a keystore using the java keytool. The result will be a keystore in PKCS12 format containing a key pair and X.509 certificate wrapping the public key. The generated certificate will have a validity period of 1 year.

keytool -genkeypair -alias example -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12

Note that this command has replaced the older -genkey command.

Java keytool options

Options breakdown:
-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keyalg – The algorithm used to generate the key pair. Supported algorithms include RSA, DSA, and EC.
-keysize – The key size in bits. The National Institute of Standards and Technology (NIST) recommends a key size of at least 3072 bits if the key will be used beyond 2030, but many users have adopted 4096.
-sigalg – This value is generally derived from the algorithm of the private key, but may be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.
-dname – This is the distinguished name, also know as the subject of the certificate.
-keypass – The password used to encrypt and decrypt the private key. This should be the same as the -storepass. It can be different, but it is likely that you will run into trouble with applications reading the keystore and key if the password is different. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.
-startdate – The not_before value of the generated certificate. It can be specified in two parts, the date and the time. If both parts are specified, it must be surrounded by quotes.
-validity – The validity period in days. This value will compute the not_after value from the not_before value.
-storetype – Recommended keystore types include PKCS12 and JKS.
-storepass – The password used to encrypt and decrypt the keystore. This should be the same as the -keypass on keys stored in the keystore. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.
-keystore – The filename of the keystore to be generated.

java keytool generate keystore
keytool -genkeypair example

Add a key pair to an existing keystore with java keytool

To add a keypair to an existing keystore, run the same command used to generate a keystore, but with a different alias. For example:

keytool -genkeypair -alias example2 -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12

The only difference in this command was a different value for the alias, although it is likely the -dname will be different as well.

Here are the official keytool docs to dive further into how to use java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

Read all of our blog content.

keytool

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022