• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

keytool remove cert – command to remove a cert from keystore

January 3, 2020 by Mister PKI Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to remove a cert or key entry from a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

When you should remove a cert or key entry from a keystore

You should consider removing a cert or key entry from your keystore for any of the following reasons:

  1. Expired end entity client or server certificates – After rotating certificates, make sure to remove the old one.
  2. Expired trust anchor – If the keystore is being used for as a trust store, you should remove expired root CA certificates.
  3. Routinely examine your trust store to make sure no unwanted trust anchors are present. Many times dependent systems may change Certification Authorities in which case you would have updated your trust store to trust the new root. You do not want the old root hanging around.
  4. Key rotation – make sure to remove any old keys not being used.

What keytool command do I use to remove a cert from a keystore?

This command demonstrates how to use keytool to remove a cert from a keystore. The result will be a keystore no longer containing the certificate.

keytool -delete \
 -alias example2 \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-alias – The alias of the cert entry to be removed.

-keystore – The keystore file.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose.

Note that if the alias is not specified, you will be prompted for it.

keytool remove cert
keytool remove cert

Here are the official keytool docs to dive further into how to use java keytool to remove a cert. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__MANAGETHEKEYSTORE-507D231A

Read all of our blog content.

keytool

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022