keytool_cheatsheet - dwilson2547/wiki_demo GitHub Wiki

Here’s a Linux keytool Cheat Sheet with common commands and examples:

Linux keytool Cheat Sheet

keytool is a Java-based command-line utility for managing keystores, certificates, and cryptographic keys. It is part of the Java Development Kit (JDK).

1. Common Commands

Generate a Keystore and Key Pair

keytool -genkeypair -alias mydomain -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 365
  • Creates a keystore (keystore.jks) with a self-signed certificate.
  • Replace mydomain with your alias and set a password when prompted.

List Contents of a Keystore

keytool -list -keystore keystore.jks
  • Lists all entries in the keystore.
  • Add -v for detailed output.

Export a Certificate

keytool -exportcert -alias mydomain -keystore keystore.jks -file mydomain.crt
  • Exports the certificate for mydomain to mydomain.crt.

Import a Certificate into a Keystore

keytool -importcert -alias importedcert -keystore keystore.jks -file certificate.crt
  • Imports a certificate (e.g., certificate.crt) into the keystore.

Delete a Certificate or Key

keytool -delete -alias mydomain -keystore keystore.jks
  • Removes the entry with the alias mydomain.

Change Keystore Password

keytool -storepasswd -keystore keystore.jks
  • Prompts for the old and new keystore passwords.

Change Key Password

keytool -keypasswd -alias mydomain -keystore keystore.jks
  • Changes the password for the key associated with mydomain.

Generate a Certificate Signing Request (CSR)

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Creates a CSR (mydomain.csr) for submission to a Certificate Authority (CA).

Import a CA-Signed Certificate

keytool -importcert -alias mydomain -keystore keystore.jks -file signed_cert.crt
  • Imports a signed certificate (e.g., signed_cert.crt) into the keystore.

Check Certificate Details

keytool -printcert -file mydomain.crt
  • Displays details of a certificate file.

Convert Keystore Format (JKS to PKCS12)

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
  • Converts a JKS keystore to PKCS12 format.

List Trusted Certificates in a Keystore

keytool -list -keystore $JAVA_HOME/lib/security/cacerts
  • Lists trusted CA certificates in the default Java cacerts file.
  • Default password: changeit.

2. Common Options

Option Description
-alias <alias> Specifies the alias for the entry.
-keystore <file> Specifies the keystore file.
-storepass <pass> Provides the keystore password.
-keypass <pass> Provides the key password.
-validity <days> Sets the validity period (default: 90 days).
-keyalg <alg> Specifies the key algorithm (e.g., RSA).
-keysize <size> Sets the key size (e.g., 2048).

3. Tips

  • Default Keystore: If no keystore is specified, keytool uses $HOME/.keystore.
  • Passwords: Always protect keystores and keys with strong passwords.
  • Backup: Always back up your keystore file.
⚠️ **GitHub.com Fallback** ⚠️