What is java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates, as well as generate a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.
What keytool command do I use to generate a keystore and key pair?
Use this command to generate an asymmetric key pair and generate a keystore using the java keytool. The result will be a keystore in PKCS12 format containing a key pair and X.509 certificate wrapping the public key. The generated certificate will have a validity period of 1 year.
keytool -genkeypair -alias example -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12
Note that this command has replaced the older -genkey
command.
Java keytool options
Options breakdown:-alias
– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries. -keyalg
– The algorithm used to generate the key pair. Supported algorithms include RSA, DSA, and EC.-keysize
– The key size in bits. The National Institute of Standards and Technology (NIST) recommends a key size of at least 3072 bits if the key will be used beyond 2030, but many users have adopted 4096.-sigalg
– This value is generally derived from the algorithm of the private key, but may be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.-dname
– This is the distinguished name, also know as the subject of the certificate.-keypass
– The password used to encrypt and decrypt the private key. This should be the same as the -storepass
. It can be different, but it is likely that you will run into trouble with applications reading the keystore and key if the password is different. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.-startdate
– The not_before value of the generated certificate. It can be specified in two parts, the date and the time. If both parts are specified, it must be surrounded by quotes.-validity
– The validity period in days. This value will compute the not_after value from the not_before value.-storetype
– Recommended keystore types include PKCS12 and JKS.-storepass
– The password used to encrypt and decrypt the keystore. This should be the same as the -keypass
on keys stored in the keystore. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.-keystore
– The filename of the keystore to be generated.

Add a key pair to an existing keystore with java keytool
To add a keypair to an existing keystore, run the same command used to generate a keystore, but with a different alias. For example:
keytool -genkeypair -alias example2 -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12
The only difference in this command was a different value for the alias, although it is likely the -dname
will be different as well.
Here are the official keytool docs to dive further into how to use java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549
Leave a Reply