I was working on a project last month where I had to call a third-party web service. The third-party web service wanted me to add a SSL keystore and I struggled. I could have gone to my UNIX Admin and asked him to do this job but decided to learn about all about keystores. I went through couple of forums and SO and ended my spending 2 – 3 hours reading about keystores and commonly used commands.

To give you a quick run here what I was doing. I had to use a third party wsdl to create a client. I tried to use Maven jaxws plugin to generate the client. I downloaded the wsdl to my local machine and was able to successfully create a client. For production I wanted to generate the client using the current wsdl so decided to generate the client using the wsdl url of the third-party website but ran into keystore issue. I had to download their certificate and add it to my CACERT.

The whole charade led me to compile this post. Before I begin here is a quick run through Keystore

Why Do I need a keystore?

By using a public/private key mechanism. This provides a layer of security that prevents, among other things, remote attackers from pushing malicious updates to your application  (all updates must be signed with the same key)

What is a Java Keytool?

It is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in keystore. It protects private keys with a password. A Keytool keystore has the private key and any certificates necessary to complete a chain of trust and set up the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. 

Here is a list of 13 most common commands


1. Create a Java Keystore and value pair

keytool -genkey -alias yourDomainName -keyalg RSA -keystore YourkeystoreName.jks 

2. Creating a signing request (CSR) for an existing keystore

keytool -certreq -alias yourDomainName -keystore keystore.jks -file yourDomainName.csr

3. Importing a signed primary certificate to an existing  keystore**


keytool -import -trustcacerts -alias yourDomainName -file yourDomainName.crt -keystore YourkeystoreName.jks

4. Importing a root or intermediate CA certificate to an existing  keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore YourkeystoreName.jks

5. Creating a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore Yourkeystore.jks -storepass password -validity 360


When you need to check the information about a certificate or keystore then you use these commands.

6. Checking a particular certificate

keytool -printcert -v -file Yourdomain.crt

7. Checking all certificates in a keystore

keytool -list -v -keystore Yourkeystore.jks

9. Checking a particular keystore entry using an alias

keytool -list -v -keystore Yourkeystore.jks -alias Yourdomain


10. Deleting a certificate from a keystore

keytool -delete -alias Yourdomain -keystore Yourkeystore.jks

11. Changing a keystore password

keytool -storepasswd -new new_password -keystore keystore.jks

12. Exporting a certificate from a keystore

keytool -export -alias Yourdomain -file Yourdomain.crt -keystore Yourkeystore.jks

13. Listing Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

P.S. – If you liked the post please click on one of the ads in the right hand column to help me keep up this site and do drop a me a line to suggest some topics that would like to see on this site.

So Long ……