• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

How to generate a keystore with java keytool

December 20, 2019 by Mister PKI 1 Comment

What is java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates, as well as generate a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

What keytool command do I use to generate a keystore and key pair?

Use this command to generate an asymmetric key pair and generate a keystore using the java keytool. The result will be a keystore in PKCS12 format containing a key pair and X.509 certificate wrapping the public key. The generated certificate will have a validity period of 1 year.

keytool -genkeypair -alias example -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12

Note that this command has replaced the older -genkey command.

Java keytool options

Options breakdown:
-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keyalg – The algorithm used to generate the key pair. Supported algorithms include RSA, DSA, and EC.
-keysize – The key size in bits. The National Institute of Standards and Technology (NIST) recommends a key size of at least 3072 bits if the key will be used beyond 2030, but many users have adopted 4096.
-sigalg – This value is generally derived from the algorithm of the private key, but may be specified for clarity. Supported signature algorithms include SHA1withDSA, SHA256withRSA, and SHA256withECDSA.
-dname – This is the distinguished name, also know as the subject of the certificate.
-keypass – The password used to encrypt and decrypt the private key. This should be the same as the -storepass. It can be different, but it is likely that you will run into trouble with applications reading the keystore and key if the password is different. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.
-startdate – The not_before value of the generated certificate. It can be specified in two parts, the date and the time. If both parts are specified, it must be surrounded by quotes.
-validity – The validity period in days. This value will compute the not_after value from the not_before value.
-storetype – Recommended keystore types include PKCS12 and JKS.
-storepass – The password used to encrypt and decrypt the keystore. This should be the same as the -keypass on keys stored in the keystore. This value does not have to be specified, and if not, you will be prompted to enter the password. This is recommended so that the password will not be in your history.
-keystore – The filename of the keystore to be generated.

java keytool generate keystore
keytool -genkeypair example

Add a key pair to an existing keystore with java keytool

To add a keypair to an existing keystore, run the same command used to generate a keystore, but with a different alias. For example:

keytool -genkeypair -alias example2 -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "cn=example.com,ou=exampleou,dc=example,dc=com" -keypass changeit -startdate "2019/12/19 00:00:00" -validity 365 -storetype PKCS12 -storepass changeit -keystore example.p12

The only difference in this command was a different value for the alias, although it is likely the -dname will be different as well.

Here are the official keytool docs to dive further into how to use java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

Read all of our blog content.

Uncategorized

Reader Interactions

Comments

  1. MOHAMMED GAFFAR says

    December 8, 2020 at 2:09 am

    Hi ,
    Want to gen secret key AES 256 with bouncy castle using keytool without password. How to do use the command. Please guide me. thanks.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal
  • What are SSL certificates?
  • Java SecureRandom
SSL/TLS Certificate Small Square (200 x 200)

Footer

  • Twitter
  • YouTube

Copyright © 2021 ยท Designed by North Flow Tech