If you often find yourself having to deal with a Java keystore using the keytool command, this post is for you. I’ll briefly go over a number of commands and options that have helped me over the years to export, search and convert keys from one format to another ultimately to import into a destination keystore.
Here we go.
The Java keytool, typically found in $JAVA_HOME/bin directory, is a command-line utility that is used to manage keys and certificates in Java keystores. It can generate, import, and export cryptographic keys and certificates. For many common key-related operations, you also need to have openssl at your disposal. OpenSSL is a toolkit that implements the SSL and TLS protocols and generally work as a general-purpose cryptography library and has the ability to convert keys and keystores from one format to another.
Let’s go over a few sample commands that you might useful using the above tools.
Let’s start with generating our very own keystore:
keytool -genkey -alias myentry -keyalg RSA -validity 999 \
-keystore /etc/config/thekeystore -ext san=dns:$REPLACE_WITH_FULL_MACHINE_NAME
This will generate a thekeystore file which will include the SSL private/public keys that are issued for your server domain. Make sure you replace $REPLACE_WITH_FULL_MACHINE_NAME with a real value, such as myserver.example.org, if that is where your certificate would be used.
The above commands usually starts out with the following response:
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: $REPLACE_WITH_FULL_MACHINE_NAME (i.e. mymachine.domain.edu)
What is the name of your organizational unit?
[Unknown]: Test
What is the name of your organization?
[Unknown]: Test
What is the name of your City or Locality?
[Unknown]: Test
What is the name of your State or Province?
[Unknown]: Test
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=$FULL_MACHINE_NAME, OU=Test, O=Test, L=Test, ST=Test, C=US correct?
[no]: yes
Next, you can use the keytool command to list the entries in your keystore:
# This will ask you for a password...
keytool -list -keystore /etc/config/thekeystore
…and you can of course delete entries by their alias:
# This will ask you for a password...
keytool -delete -alias myentry -keystore /etc/config/thekeystore
You can also export the certificate or public entry attached to your key in the keystore:
keytool -export -file /etc/config/mycertificate.crt \
-keystore /etc/config/thekeystore -alias myentry
Now let’s say you have a private/public keypair in PEM format and you want to get those into a Java keystore. A PEM file is used to store and transmit cryptographic keys, certificates, and other data and it is a Base64 encoded format with specific headers and footers. Being in Base64 encoding makes it easy to read in text editors.
To get our PEM files into a Java keystore, we first need openssl to convert them into a compatible format such as PKCS12:
openssl pkcs12 -export -in /etc/config/cert.pem \
-inkey /etc/config/key.pem -out /etc/config/keystore.p12 -name myentry
When you have the keystore.p12 file, you can import it into your own Java keystore:
keytool -importkeystore -deststorepass changeit -destkeypass changeit \
-destkeystore /etc/config/thekeystore -srckeystore /etc/config/keystore.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias myentry
That’s it. If you master the above commands, you’ll keep out of trouble most of the time!
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
Happy Coding,
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time