• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

keytool remove cert – command to remove a cert from keystore

January 3, 2020 by Mister PKI Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to remove a cert or key entry from a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

When you should remove a cert or key entry from a keystore

You should consider removing a cert or key entry from your keystore for any of the following reasons:

  1. Expired end entity client or server certificates – After rotating certificates, make sure to remove the old one.
  2. Expired trust anchor – If the keystore is being used for as a trust store, you should remove expired root CA certificates.
  3. Routinely examine your trust store to make sure no unwanted trust anchors are present. Many times dependent systems may change Certification Authorities in which case you would have updated your trust store to trust the new root. You do not want the old root hanging around.
  4. Key rotation – make sure to remove any old keys not being used.

What keytool command do I use to remove a cert from a keystore?

This command demonstrates how to use keytool to remove a cert from a keystore. The result will be a keystore no longer containing the certificate.

keytool -delete \
 -alias example2 \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-alias – The alias of the cert entry to be removed.

-keystore – The keystore file.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose.

Note that if the alias is not specified, you will be prompted for it.

keytool remove cert
keytool remove cert

Here are the official keytool docs to dive further into how to use java keytool to remove a cert. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__MANAGETHEKEYSTORE-507D231A

Read all of our blog content.

Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal
  • What are SSL certificates?
  • Java SecureRandom
SSL/TLS Certificate Small Square (200 x 200)

Footer

  • Twitter
  • YouTube

Copyright © 2021 · Designed by North Flow Tech