Java Keystore Commands Reference
Essential keytool commands for Java keystore and certificate management
🔨 Creating and Managing Keystores
Generate a new keystore with a key pair
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365Creates a new keystore with an RSA 2048-bit key pair, valid for 365 days.
Generate keystore with specified DN
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 \
-dname "CN=example.com,OU=IT,O=Example Inc,L=San Francisco,ST=CA,C=US" \
-keystore keystore.jks -validity 365Generate keystore with SAN (Subject Alternative Names)
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 \
-dname "CN=example.com" \
-ext "SAN=dns:example.com,dns:www.example.com,ip:192.168.1.1" \
-keystore keystore.jks -validity 365Change keystore password
keytool -storepasswd -keystore keystore.jksChange key password
keytool -keypasswd -alias mykey -keystore keystore.jks📝 Certificate Signing Request (CSR) Operations
Generate CSR from keystore
keytool -certreq -alias mykey -keystore keystore.jks -file request.csrGenerate CSR with SAN
keytool -certreq -alias mykey -keystore keystore.jks -file request.csr \
-ext "SAN=dns:example.com,dns:www.example.com"View CSR contents
keytool -printcertreq -file request.csr📥 Importing Certificates
Import signed certificate
keytool -importcert -alias mykey -file certificate.crt -keystore keystore.jksImport the signed certificate from a CA into the keystore (must use same alias as the key pair).
Import certificate chain
keytool -importcert -alias root -file root-ca.crt -keystore keystore.jks
keytool -importcert -alias intermediate -file intermediate-ca.crt -keystore keystore.jks
keytool -importcert -alias mykey -file certificate.crt -keystore keystore.jksImport root and intermediate CA certificates first, then the server certificate.
Import trusted CA certificate
keytool -importcert -alias cacert -file ca.crt -keystore truststore.jks -trustcacertsImport without prompting
keytool -importcert -alias mykey -file certificate.crt -keystore keystore.jks -noprompt📋 Listing and Viewing Entries
List all entries in keystore
keytool -list -keystore keystore.jksList with full certificate details
keytool -list -v -keystore keystore.jksList specific entry
keytool -list -alias mykey -keystore keystore.jksList with RFC format output
keytool -list -rfc -keystore keystore.jksDisplays certificates in PEM format.
View certificate file
keytool -printcert -file certificate.crtView certificate from SSL connection
keytool -printcert -sslserver example.com:443📤 Exporting Certificates and Keys
Export certificate
keytool -exportcert -alias mykey -file certificate.crt -keystore keystore.jksExport certificate in PEM format
keytool -exportcert -alias mykey -file certificate.pem -rfc -keystore keystore.jksExport certificate chain
keytool -exportcert -alias mykey -file chain.pem -rfc -keystore keystore.jksExports the entire certificate chain if available.
🔄 Format Conversion
Convert JKS to PKCS12
keytool -importkeystore \
-srckeystore keystore.jks -srcstoretype JKS \
-destkeystore keystore.p12 -deststoretype PKCS12PKCS12 is the recommended format for Java 9+ and is more interoperable.
Convert PKCS12 to JKS
keytool -importkeystore \
-srckeystore keystore.p12 -srcstoretype PKCS12 \
-destkeystore keystore.jks -deststoretype JKSImport PFX/PKCS12 file
keytool -importkeystore \
-srckeystore certificate.pfx -srcstoretype PKCS12 \
-destkeystore keystore.jks -deststoretype JKSCopy specific entry between keystores
keytool -importkeystore \
-srckeystore source.jks -srcalias oldkey \
-destkeystore dest.jks -destalias newkey🗑️ Deleting and Renaming Entries
Delete entry from keystore
keytool -delete -alias mykey -keystore keystore.jksRename alias
keytool -changealias -alias oldname -destalias newname -keystore keystore.jks🔒 Security and Validation
Check keystore integrity
keytool -list -keystore keystore.jks -storepass passwordIf the password is correct and the keystore is valid, it will list entries successfully.
Verify certificate chain
keytool -list -v -alias mykey -keystore keystore.jksCheck if the certificate chain is complete and valid.
Use stronger encryption (PKCS12)
keytool -genkeypair -alias mykey -keyalg RSA -keysize 4096 -keystore keystore.p12 -storetype PKCS12PKCS12 is recommended over JKS for better security and interoperability.
💡 Common Use Cases
Create self-signed certificate for development
keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 \
-dname "CN=localhost,OU=Development,O=MyCompany,C=US" \
-ext "SAN=dns:localhost,ip:127.0.0.1" \
-keystore localhost.p12 -storetype PKCS12 -validity 365View system cacerts (Java trusted certificates)
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeitDefault password for Java's cacerts is changeit
Import certificate to system cacerts
sudo keytool -importcert -alias myca -file ca.crt \
-keystore $JAVA_HOME/lib/security/cacerts -storepass changeitComplete workflow: Generate key pair → CSR → Import signed cert
# 1. Generate key pair
keytool -genkeypair -alias myserver -keyalg RSA -keysize 2048 \
-keystore server.jks -validity 365
# 2. Generate CSR
keytool -certreq -alias myserver -keystore server.jks -file server.csr
# 3. Submit CSR to CA and receive signed certificate (server.crt)
# 4. Import CA root certificate
keytool -importcert -alias root -file root-ca.crt -keystore server.jks -trustcacerts
# 5. Import intermediate certificate (if any)
keytool -importcert -alias intermediate -file intermediate-ca.crt -keystore server.jks
# 6. Import signed certificate
keytool -importcert -alias myserver -file server.crt -keystore server.jksVerify certificate matches private key
# Export certificate
keytool -exportcert -alias mykey -file cert.der -keystore keystore.jks
# List to verify
keytool -list -v -alias mykey -keystore keystore.jks | grep -A 1 "Certificate fingerprints"
keytool -printcert -file cert.der | grep -A 1 "Certificate fingerprints"The fingerprints should match if the certificate corresponds to the private key.
🔧 Troubleshooting
"Failed to establish chain" error
Import the root and intermediate CA certificates before importing the server certificate.
keytool -importcert -alias root -file root-ca.crt -keystore keystore.jks -trustcacerts
keytool -importcert -alias intermediate -file intermediate.crt -keystore keystore.jks
keytool -importcert -alias mykey -file certificate.crt -keystore keystore.jksAlias already exists error
Either delete the existing alias first or use a different alias name.
keytool -delete -alias mykey -keystore keystore.jksCannot recover key error
The key password differs from the keystore password. Specify the key password separately.
keytool -list -alias mykey -keystore keystore.jks -keypass keypassword -storepass storepassword