[Security] Keystore and Truststore - ramkumarant/reference GitHub Wiki

Create self-signed certificate and truststore

REM Create self-signed certificate and truststore
keytool -v -genkey -keyalg RSA -keysize 2048 -alias "localhost" -keystore localhost.jks -storepass changeit -keypass changeit -validity 1825 -dname "CN=localhost, OU=Unit-01, O=Org-01, L=Chennai, C=IN"

REM Generate certificate signing request.
keytool –keystore localhost.jks –certreq –alias localhost –keyalg rsa –file localhost.csr -storepass changeit

REM Export certificate from a JKS keystore in PKCS7 format.
keytool -export -rfc -alias "localhost" -file localhost.crt -keystore localhost.jks -storepass changeit -keypass changeit

REM import public certificate to truststore.
keytool -import -noprompt -trustcacerts -alias "localhost" -file localhost.crt -keystore localhost-truststore.jks -storepass changeit -keypass changeit

REM Print localhost.crt
keytool -printcert -v -file localhost.crt

REM Print localhost-truststore.jks
keytool -list -v -keystore localhost-truststore.jks -storepass changeit

Create self-signed keystore with SAN certificate

keytool -v -genkey -keyalg RSA -keysize 2048 -validity 1825 -alias "localhost" -dname "CN=localhost, OU=Unit-01, O=Org-01, L=Chennai, C=IN" -ext san=dns:example.com,ip:192.168.1.1 -keystore localhost.jks -storepass changeit -keypass changeit
keytool -list -v -keystore localhost.jks -storepass changeit

Change keystore password

keytool -keypasswd -alias "localhost" -keypass changeit -new changeit -keystore localhost.jks -storepass changeit
keytool -list -v -keystore localhost.jks -storepass changeit

Change key password

keytool -storepasswd -new changeit -keystore localhost.jks -storepass changeit
keytool -list -v -keystore localhost.jks -storepass changeit

Convert JKS (.jks) keystore to PKCS12 (.p12 or .pxf) keystore

keytool -v -importkeystore -srckeystore localhost.jks -destkeystore localhost.pfx -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit
keytool -list -v -keystore localhost.pfx -storepass changeit

Convert PKCS12 (.p12 or pxf) to JKS (.jks) keystore

keytool -v -importkeystore -srckeystore localhost.pfx -destkeystore localhost.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass changeit -deststorepass changeit
keytool -list -v -keystore localhost.jks -storepass changeit