keytool Command in Linux

Previous
Quiz
Next

The keytool command is a key and certificate management utility that is part of the Java Development Kit (JDK). It allows users to manage their own public/private key pairs and associated certificates for use in self-authentication (using digital signatures) or data integrity and authentication services, provided by a variety of security protocols.

Table of Contents

Here is a comprehensive guide to the options available with the keytool command −

Understanding keytool Command

The command can be executed with various options to perform different operations, such as generating key pairs, importing/exporting certificates, and more.

Basic Syntax

The basic syntax for the keytool command is as follows −

keytool [COMMAND] [OPTIONS]

keytool Command Options

-genkeypair

This command is used to generate a key pair (a public key and a private key). The generated key pair is stored in a keystore. For example −

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 365 -keystore mykeystore.jks
keytool Command in Linux1

In this example −

  • -alias mykey specifies the alias name for the key pair.
  • -keyalg RSA specifies the algorithm to be used (RSA in this case).
  • -keysize 2048 specifies the size of the key.
  • -validity 365 specifies the validity period of the key in days.
  • -keystore mykeystore.jks specifies the name of the keystore file where the key pair will be stored.

-exportcert

This command is used to export a certificate from a keystore. For example −

keytool -exportcert -alias mykey -file mycert.cer -keystore mykeystore.jks
keytool Command in Linux2

In this example −

  • -alias mykey specifies the alias name of the key pair whose certificate is to be exported.
  • -file mycert.cer specifies the name of the file where the exported certificate will be saved.
  • -keystore mykeystore.jks specifies the name of the keystore file.

-importcert

This command is used to import a certificate into a keystore. For example −

keytool -importcert -alias mycert -file mycert.cer -keystore mykeystore.jks
keytool Command in Linux3

In this example −

  • -alias mycert specifies the alias name for the imported certificate.
  • -file mycert.cer specifies the name of the file containing the certificate to be imported.
  • -keystore mykeystore.jks specifies the name of the keystore file where the certificate will be stored.

-list

This command is used to list the entries in a keystore. For example −

keytool -list -keystore mykeystore.jks
keytool Command in Linux4

In this example −

  • -keystore mykeystore.jks specifies the name of the keystore file.

How to Use keytool Command in Linux?

Let's explore some detailed examples to demonstrate the use of the keytool command in different scenarios.

Generating a Key Pair

To generate a key pair, use the -genkeypair command as follows −

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 365 -keystore mykeystore.jks
keytool Command in Linux5

You will be prompted to enter a keystore password and provide information such as your name, organization, and location. The key pair will be generated and stored in the specified keystore file.

Exporting a Certificate

To export a certificate from a keystore, use the -exportcert command −

keytool -exportcert -alias mykey -file mycert.cer -keystore mykeystore.jks
keytool Command in Linux6

You will be prompted to enter the keystore password. The certificate associated with the specified alias will be exported and saved to the specified file.

Importing a Certificate

To import a certificate into a keystore, use the -importcert command −

keytool -importcert -alias mycert -file mycert.cer -keystore mykeystore.jks
keytool Command in Linux7

You will be prompted to enter the keystore password and confirm the addition of the certificate. The certificate will be imported and stored in the specified keystore file.

Listing Keystore Entries

To list the entries in a keystore, use the -list command −

keytool -list -keystore mykeystore.jks
keytool Command in Linux8

You will be prompted to enter the keystore password. The command will display the list of entries in the specified keystore file.

Managing Keystores of keytool Command

The keytool command allows you to manage keystores by performing various operations such as creating, deleting, and viewing entries.

Creating a New Keystore

To create a new keystore, simply generate a key pair and specify a new keystore file −

keytool -genkeypair -alias newkey -keyalg RSA -keysize 2048 -validity 365 -keystore newkeystore.jks
keytool Command in Linux9

A new keystore file will be created and the key pair will be stored in it.

Deleting an Entry

To delete an entry from a keystore, use the -delete command −

keytool -delete -alias mykey -keystore mykeystore.jks
keytool Command in Linux10

You will be prompted to enter the keystore password. The specified entry will be deleted from the keystore.

Viewing Entry Details

To view the details of a specific entry in a keystore, use the -list command with the -v option −

keytool -list -alias mykey -keystore mykeystore.jks -v
keytool Command in Linux11

You will be prompted to enter the keystore password. The command will display detailed information about the specified entry.

Converting Keystore Formats of keytool Command

The keytool command supports various keystore formats, including JKS (Java KeyStore) and PKCS12. You can convert keystores between these formats using the -importkeystore command.

Converting JKS to PKCS12

To convert a JKS keystore to a PKCS12 keystore, use the following command −

keytool -importkeystore -srckeystore mykeystore.jks -destkeystore mykeystore.p12 -deststoretype PKCS12
keytool Command in Linux12

You will be prompted to enter the source keystore password and the destination keystore password. The JKS keystore will be converted to a PKCS12 keystore.

Converting PKCS12 to JKS

To convert a PKCS12 keystore to a JKS keystore, use the following command −

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore mykeystore.jks -deststoretype JKS
keytool Command in Linux13

You will be prompted to enter the source keystore password and the destination keystore password. The PKCS12 keystore will be converted to a JKS keystore.

Advanced Usage of keytool Command

For advanced users, the keytool command can be used in conjunction with other tools and scripts to automate key and certificate management tasks.

Automating Key Generation

You can create a script to automate the process of generating keys and certificates.

Example Script:

#!/bin/bash

# Generate a key pair
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 365 -keystore mykeystore.jks -storepass changeit -keypass changeit -dname "CN=Example, OU=IT, O=Company, L=City, S=State, C=Country"

# Export the certificate
keytool -exportcert -alias mykey -file mycert.cer -keystore mykeystore.jks -storepass changeit

Save this script as generate_keys.sh and make it executable −

chmod +x generate_keys.sh

You can then run the script to automate the key generation −

./generate_keys.sh

Conclusion

The keytool command in Linux is a key and certificate management utility that's part of the Java Development Kit (JDK). It allows you to create, manage, and store cryptographic keys and certificates within keystores. These keystores serve as repositories for security credentials, enabling tasks like generating key pairs, creating Certificate Signing Requests (CSRs), importing certificates, and managing trust.

Print Page
Previous
Next
Advertisements