Java
Most Java applications use the keystore that's supplied with JDK to store cryptographic
keys, X.509 certificate chain information, and trusted certificates. The default JDK keystore
in Oracle Linux is the /etc/pki/java/cacerts file. You
can use the keytool command to generate, install and manage certificates in
the Java keystore.
The following examples show how you might use the
keytool command.
-
List the contents of the keystore,
/etc/pki/java/cacerts:sudo keytool -list [-v] -keystore /etc/pki/java/cacerts
The default keystore password is
changeit. Oracle strongly recommends that you change the password as soon as possible. If specified, the verbose option-vdisplays detailed information. -
Change the password for a keystore, for example,
/etc/pki/java/cacerts:sudo keytool -storepasswd -keystore /etc/pki/java/cacerts
-
Create a keystore (
keystore.jks) to achieve the following:-
Manage public and private key pairs and certificates from entities that you trust.
-
Generate a public and private key pair by using the RSA algorithm and a key length of 3072 bits.
-
Create a self-signed certificate that includes the public key and the specified distinguished name information.
sudo keytool -genkeypair -alias engineering -keyalg RSA -keysize 3072 \ -dname "CN=www.unserdom.com, OU=Eng, O=Unser Dom Corp, C=US, ST=Ca, L=Sunnydale" \ -keypass pkpassword -keystore keystore.jks \ -storepass storepassword -validity 100
In the command, pkpassword is the private key password and storepassword is the keystore password. In this example, the certificate is valid for 100 days and is associated with the private key in a keystore entry that has the alias
engineering. -
-
Print the contents of a certificate file in a human-readable form:
sudo keytool -printcert [-v] -file cert.cer
If specified, the verbose option
-vdisplays detailed information. -
Generate a CSR in the file
carequest.csrfor submission to a CA:sudo keytool -certreq -file carequest.csr
The CA signs and returns a certificate or a certificate chain that authenticates your public key.
-
Import the root certificate or certificate chain for the CA from the
ACME.cerfile into thekeystore.jkskeystore and assign it the aliasacmeca:sudo keytool -importcert -alias acmeca [-trustcacerts] -file ACME.cer \ -keystore keystore.jks -storepass storepasswordIf specified, the
-trustcacertsoption instructskeytoolto add the certificate only if it can validate the chain of trust against the existing root CA certificates in thecacertskeystore. Alternatively, you can use thekeytool -printcertcommand to check that the certificate's fingerprint matches the fingerprint that the CA publishes. -
Import the signed certificate for the organization after you have received it from the CA:
sudo keytool -importcert -v -trustcacerts -alias acmeca -file ACMEdom.cer \ -keystore keystore.jks -storepass storepasswordIn this example, the file containing the certificate is
ACMEdom.cer. The-aliasoption specifies the entry for the first entity in the CA's root certificate chain. The signed certificate is added to the front of the chain and becomes the entity that's addressed by the alias name. -
Delete the certificate with the alias aliasname from the
keystore.jkskeystore:sudo keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword
-
Export the certificate with the alias aliasname as a binary PKCS7 format file, which includes the supporting certificate chain as well as the issued certificate:
sudo keytool -exportcert -noprompt -alias aliasname -file output.p7b \ -keystore keystore.jks -storepass storepassword
-
Export the certificate with the alias aliasname as a base64 encoded text file (also referred to as PEM or RFC 1421).
sudo keytool -exportcert -noprompt -rfc -alias aliasname -file output.pem \ -keystore keystore.jks -storepass storepassword
For a certificate chain, the file includes only the first certificate in the chain, which authenticates the public key of the aliased entity.
For more information, see the keytool(1) manual
page.