How to add or view SSL certificate in Java keyStore or trustStore? keytool command examples

The keytool command in Java is a tool for managing certificates into keyStore and trustStore which is used to store certificates and requires during the SSL handshake process. By using the keytool command you can do many things but some of the most common operations are viewing certificates stored in the keystore, importing new certificates into the keyStore, delete any certificate from the keystore, etc. For those who are not familiar keyStore, trustStore, and SSL Setup for Java application Here is a brief overview of What is a trustStore and keyStore in Java

Both trustStore and keyStrore is used to store certificate signed by signer authority or CA (Certificate authority), with keyStore additionally storing personal certificate for the client which is used during client authentication on SSL handshake process if it's enabled.


In this article we will see some basic examples of keytool command in Java to find how many certificates we have in keyStore, viewing those certificates, adding new certificates, and deleting old certificates from keyStore or trustStore in Java.



How to use keytool command in Java

Following are some most common or frequently used example of keytool command which comes when you installed JDK. just type keytool command in your command prompt and it will show a lot of command-line options if your PATH is set correctly for Java

If Path is not set properly it will complain that not able to find the keytool command. Don't worry you just need to add the JAVA_HOME/bin directory in your path to get the keytool command working.




keytool command to find how many certificates are in keyStore:

This is the first example of the keytool command which will show you how many certificates are stored in trustStore or keyStore file :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool 
-list -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 81 entries

digicertassuredidrootca, 07/01/2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
trustcenterclass2caii, 07/01/2008, trustedCertEntry,

above keytool command shows that default keystore jssecacerts, which comes along with JRE and present in JAVA_HOME directory on path  JAVA_HOME/JRE/lib/security,  has 81 certificates in it and keyStore type is JKS which stands for Java Key Store. One of those certificates are from DigiCert

keytool command examples in Java



keytool command to view certificate details from keyStore :

Now if you want to see details of certificates e.g. Common name (CN) and other attributes you can use the following keytool command to view details of certificates stored in keyStore in Java :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool
 -list -v -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 81 entries

Alias name: digicertassuredidrootca
Creation date: 07/01/2008
Entry type: trustedCertEntry

Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d846fe8fe560fc1bf03039
Valid from: Thu Nov 09 20:00:00 VET 2006 until: Sun Nov 09 19:30:00 VET 2031
Certificate fingerprints:
         MD5:  87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
         SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
         Signature algorithm name: SHA1withRSA
         Version: 3



keytool command for adding a certificate in keystore and trustStore :

Now if you want to import any certificate into this keystore you can use the following keytool command :
$ keytool -import -alias adding_certificate_keystore  -file self.cer -keystore jssecacerts

this will print certificate details and prompt you to accept the certificate, once you confirm that by typing Yes, the certificate will be added into your keyStore. For verification purposes, you can re-run the previous keytool command to get a total number of certificates in the keystore. For example, if we run the following keytool command, it should print 82 certificates in keyStore :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool 
-list -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 82 entries

Another useful keytool command option is -printcert which prints details of a certificate stored in the .cer file :

$ keytool -printcert -file test.cer

That's all on some basic keytool command examples for viewing and adding certificates into keystore and trustStore in Java. I still prefer a GUI tool for creating keystore and managing certificates but keytool is a good alternative because it comes along with JDK installation and available in most places.


Java Tutorials from java67 blog

8 comments:

  1. keytool command to list or view certificate is the what I was familiar before reading this tutorial.

    ReplyDelete
  2. Can you please help me how to view the certificates in the keystore ?

    ReplyDelete
  3. Could you please tell me what does this part of certificate mean:
    Version: 3

    Does it mean it's using SSL v3 ?

    Excerpt from your example about :
    test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -v -keystore

    ReplyDelete
  4. hi... is there and command to update the keystore password from *.jks file once the .keystore file is being created?

    ReplyDelete
  5. Here are some more openssl and keytool command exmaples which helped a lot

    1. command to see which Issuer certificate you have in your keystore
    $ keytool -v -list -keystore cacerts -storepass changeit | grep -i "Verisign "

    2. OpenSSL command to connect to server and find out which certificates are acceptable
    $ openssl s_client -connect serverhostname:443

    ReplyDelete
  6. keytool is really useful utility from JDK and you can use this with openssl together to create keys, certificates, import certificates, view certificates and even copy one keystore into another keystore in Java. Here is another useful example of keytool command to copy certificates from another one keystore to other in Java:

    keytool -importkeystore \
    -srckeystore example2.p12 \
    -destkeystore example.p12 \
    -srcstoretype PKCS12 \
    -deststoretype PKCS12 \
    -srcstorepass changeit \
    -deststorepass changeit \
    -v

    ReplyDelete

Feel free to comment, ask questions if you have any doubt.