Keytool Command Summary

A Keytool Command Summary

The keytool commands are commonly used for creating and using JKS and PKCS12 keystores with Oracle WebLogic Server.

In Table A-1, an option surrounded by brackets ([]) indicates that if you omit the option from the command, you are subsequently prompted to enter that option's value. For example, if you follow Oracle's strong recommendation to omit command options for specifying passwords, you are prompted for those passwords after you enter the command, as in the following example. (User input is shown in bold.)

C:\DOMAIN_NAME>keytool -genkeypair -keystore MyKeyStore
Enter keystore password:
Re-enter new password:

Unlike passwords that are specified in command-line options, a password entered in response to a prompt is not echoed in the command window and is not captured in logs. This practice helps keep your passwords secure.

For detailed documentation for the Java keytool utility, see the keytool utility section in JDK Tool Specifications.

Table A-1 Commonly Used keytool Commands

Command	Description
keytool -genkeypair -keystore keystorename -storepass keystorepassword -storetype keystoretype	Generates a key pair (a public key and associated private key) and self-signed digital certificate in a keystore. If the keystore does not exist, it is created.
keytool -importcert -alias aliasforprivatekey -file privatekeyfilename.pem -keyfilepass privatekeypassword -keystore keystorename -storepass keystorepassword -storetype keystoretype	Updates the self-signed digital certificate with one signed by a trusted CA.
keytool -importcert -alias rootCA -trustcacerts -file RootCA.pem -keystore trust.jks -storepass `keystorepassword` -storetype keystoretype keytool -importcert -alias intermediate -trustcacerts -file Intermediate.pem -keystore `keystorename` -storepass `keystorepassword` -storetype keystoretype	Creates a custom keystore to be used for holding an intermediate CA certificate. The first keytool command creates the keystore, `trust.jks`, which holds the root CA certificate. The second keytool command imports the intermediate CA certificate into `trust.jks`. This enables WebLogic Server's SSL implementation to transmit the intermediate certificate with the server's public certificate to the client during the SSL handshake.
keytool -importcert -alias aliasfortrustedca -trustcacerts -file trustedcafilename.pem -keystore `keystorename` -storepass `keystorepassword` -storetype keystoretype	Loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created.
keytool -certreq -alias alias -sigalg sigalg -file certreq_file -keyfilepass privatekeypassword -storetype keystoretype -keystore keystorename -storepass keystorepassword	Generates a Certificate Signing Request (CSR), using the PKCS#10 format, and a self-signed certificate with a private key. Stores the CSR in the specified `certreq_file`, and the certificate/private key pair as a key entry in the specified keystore under the specified alias.
keytool -list -keystore keystorename	Displays the contents of the keystore.
keytool -delete -keystore keystorename -storepass keystorepassword -alias privatekeyalias	Deletes the entry identified by the specified alias from the keystore.
keytool -help	Provides online help for keytool.