Managing SSL Certificates using keytool Command

  1. Home
  2. SSL
  3. Managing SSL Certificates using keytool Command
SSL
June 20, 2020    anbanerj   0 Comment

Managing SSL Certificates using keytool Command

All Java versions come with the keytool utility, and it is a very useful command to manage SSL Certificates. You can find the keytool command under <JAVA_HOME>/bin/

Create a new Key along with the Keystore

keytool -genkey -alias middlewareworld.org -dname ‘CN=middlewareworld.org, OU=Middleware, L=Thailand, O=MiddlewareWorld.org, C=Thailand’ -keyalg RSA -keystore middlewareworld.org.jks -keysize 2048 -sigalg SHA256withRSA -storepass P@ssw0rd -keypass P@ssw0rd

Create a Certificate Signing Request (CSR)

keytool -certreq -alias middlewareworld.org -keystore middlewareworld.org.jks -file middlewareworld.org.csr -storepass P@ssw0rd

Sign the Certificate with any Certificate Authority e.g. Digicert, Go Daddy, Entrust etc. and follow the below steps to import that cert into the Keystore.

Import the trusted root and intermediate certs

Note that the root has to be imported first, followed by the intermediate, in order to maintain the certificate chain.

keytool -keystore middlewareworld.org.jks -import -trustcacerts -alias middlewareworld_root -file TrustedRoot.cert -storepass P@ssw0rd

keytool -keystore middlewareworld.org.jks -import -trustcacerts -alias middlewareworld_intermediate -file TrustedIntermediate.cert -storepass P@ssw0rd

Import the Signed Certificate and replace the self-signed cert

Note : While importing the signed certificate, the same alias needs to be used, in order to replace the self-signed cert with the new CA signed cert.

keytool -keystore middlewareworld.org.jks -import -alias middlewareworld.org -file middlewareworld.org.signed_cert.crt -storepass P@ssw0rd

Convert a Keystore from JKS to PKCS12 format

keytool -importkeystore -srckeystore middlewareworld.org.jks -destkeystore middlewareworld.org.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass P@ssw0rd -deststorepass P@ssw0rd -srcalias middlewareworld.org -destalias middlewareworld.org

Extract the Key from JKS keystore

This is a 2-step process:

  • Convert the JKS into PKCS12 format

keytool -importkeystore -srckeystore middlewareworld.org.jks -destkeystore middlewareworld.org.p12 -deststoretype PKCS12

  • Extract the key from the PKCS12 keystore

openssl pkcs12 -in middlewareworld.org.p12 -nodes -nocerts -out middlewareworld.org.key

Leave a Reply

Your email address will not be published. Required fields are marked *