keytool remove cert - command to remove a cert from keystore

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to remove a cert or key entry from a keystore. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

When you should remove a cert or key entry from a keystore

You should consider removing a cert or key entry from your keystore for any of the following reasons:

Expired end entity client or server certificates – After rotating certificates, make sure to remove the old one.
Expired trust anchor – If the keystore is being used for as a trust store, you should remove expired root CA certificates.
Routinely examine your trust store to make sure no unwanted trust anchors are present. Many times dependent systems may change Certification Authorities in which case you would have updated your trust store to trust the new root. You do not want the old root hanging around.
Key rotation – make sure to remove any old keys not being used.

What keytool command do I use to remove a cert from a keystore?

This command demonstrates how to use keytool to remove a cert from a keystore. The result will be a keystore no longer containing the certificate.

keytool -delete \
 -alias example2 \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-alias – The alias of the cert entry to be removed.

-keystore – The keystore file.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose.

Note that if the alias is not specified, you will be prompted for it.