Quick Reference Card
| Task | Command |
|---|---|
| Generate key pair | keytool -genkeypair |
| Create CSR | keytool -certreq |
| Import certificate | keytool -importcert |
| List keystore | keytool -list |
| Export certificate | keytool -exportcert |
| Delete entry | keytool -delete |
| Convert keystore | keytool -importkeystore |
| Change store password | keytool -storepasswd |
| Change key password | keytool -keypasswd |
Generate Key Pair (-genkeypair)
Creates a new key pair (private key + self-signed certificate) in the keystore.
Basic RSA Key Pair
keytool -genkeypair -alias myserver \ -keyalg RSA -keysize 2048 \ -keystore server.p12 -storetype PKCS12 \ -validity 365 \ -storepass changeit
With Subject DN (Non-Interactive)
keytool -genkeypair -alias myserver \ -keyalg RSA -keysize 2048 \ -keystore server.p12 -storetype PKCS12 \ -validity 365 \ -dname "CN=myserver.example.com,OU=IT,O=MyCompany,L=City,ST=State,C=US" \ -storepass changeit
With Subject Alternative Names (SANs)
keytool -genkeypair -alias myserver \ -keyalg RSA -keysize 2048 \ -keystore server.p12 -storetype PKCS12 \ -validity 365 \ -dname "CN=myserver.example.com,O=MyCompany,C=US" \ -ext "SAN=dns:myserver.example.com,dns:www.example.com,ip:192.168.1.100" \ -storepass changeit
ECDSA Key (Smaller, Faster)
keytool -genkeypair -alias myserver \ -keyalg EC -keysize 256 \ -keystore server.p12 -storetype PKCS12 \ -validity 365 \ -dname "CN=myserver.example.com,O=MyCompany,C=US" \ -storepass changeit
Common Options
-alias— Unique name for this entry-keyalg— Algorithm: RSA, EC, DSA-keysize— Key size: 2048, 4096 for RSA; 256, 384 for EC-validity— Certificate validity in days-dname— Distinguished name (subject)-ext— X.509 extensions (SAN, key usage, etc.)
Create CSR (-certreq)
Generates a Certificate Signing Request (CSR) from an existing key pair. Send this to a CA to get a signed certificate.
Basic CSR
keytool -certreq -alias myserver \ -keystore server.p12 -storepass changeit \ -file server.csr
CSR with SANs
keytool -certreq -alias myserver \ -keystore server.p12 -storepass changeit \ -ext "SAN=dns:myserver.example.com,dns:www.example.com" \ -file server.csr
View CSR Contents
# View CSR with keytool keytool -printcertreq -file server.csr # Or with OpenSSL openssl req -in server.csr -text -noout
Note: The CSR uses the subject from the existing key pair. To change the subject, generate a new key pair with the correct -dname.
Import Certificate (-importcert)
Imports a certificate into the keystore. Used for both trusted CA certs and signed certificates for your keys.
Import CA Certificate to Truststore
keytool -importcert -alias myca \ -file ca-certificate.pem \ -keystore truststore.p12 -storetype PKCS12 \ -storepass changeit -noprompt
Import Signed Certificate (Reply)
After receiving a signed certificate from the CA, import it to replace the self-signed cert:
# First, import the CA certificate (if not in cacerts) keytool -importcert -alias rootca \ -file root-ca.pem \ -keystore server.p12 -storepass changeit -noprompt # Then import the signed certificate keytool -importcert -alias myserver \ -file signed-cert.pem \ -keystore server.p12 -storepass changeit
Import Certificate Chain
# Import root CA keytool -importcert -alias rootca -file root-ca.crt \ -keystore server.p12 -storepass changeit -noprompt # Import intermediate CA keytool -importcert -alias intermediateca -file intermediate-ca.crt \ -keystore server.p12 -storepass changeit -noprompt # Import your signed certificate (links to the chain) keytool -importcert -alias myserver -file server-signed.crt \ -keystore server.p12 -storepass changeit
List Keystore (-list)
Brief Listing
keytool -list -keystore server.p12 -storepass changeit
Verbose Listing (Certificate Details)
keytool -list -v -keystore server.p12 -storepass changeit
List Specific Alias
keytool -list -v -alias myserver \ -keystore server.p12 -storepass changeit
RFC/PEM Format Output
keytool -list -rfc -keystore server.p12 -storepass changeit
List Java cacerts
keytool -list -keystore $JAVA_HOME/lib/security/cacerts \ -storepass changeit
Export Certificate (-exportcert)
Export as PEM (Base64)
keytool -exportcert -alias myserver \ -keystore server.p12 -storepass changeit \ -file server.crt -rfc
Export as DER (Binary)
keytool -exportcert -alias myserver \ -keystore server.p12 -storepass changeit \ -file server.der
Important: keytool cannot directly export private keys. To extract a private key, convert to PKCS12 and use OpenSSL:
# Convert to PKCS12 if needed, then: openssl pkcs12 -in server.p12 -nocerts -nodes \ -out private-key.pem -passin pass:changeit
Delete Entry (-delete)
keytool -delete -alias myserver \ -keystore server.p12 -storepass changeit
Warning: This permanently removes the entry. Make sure to backup your keystore before deleting.
Convert/Import Keystore (-importkeystore)
Convert JKS to PKCS12
keytool -importkeystore \ -srckeystore server.jks -srcstoretype JKS \ -destkeystore server.p12 -deststoretype PKCS12 \ -srcstorepass changeit -deststorepass changeit
Convert PKCS12 to JKS
keytool -importkeystore \ -srckeystore server.p12 -srcstoretype PKCS12 \ -destkeystore server.jks -deststoretype JKS \ -srcstorepass changeit -deststorepass changeit
Import Specific Alias
keytool -importkeystore \ -srckeystore source.p12 -srcstoretype PKCS12 \ -destkeystore dest.p12 -deststoretype PKCS12 \ -srcalias mykey -destalias newkeyname \ -srcstorepass changeit -deststorepass changeit
Change Passwords
Change Store Password
keytool -storepasswd \ -keystore server.p12 \ -storepass oldpassword \ -new newpassword
Change Key Password
keytool -keypasswd -alias myserver \ -keystore server.p12 \ -storepass changeit \ -keypass oldkeypass \ -new newkeypass
Change Alias Name
keytool -changealias \ -keystore server.p12 -storepass changeit \ -alias oldname -destalias newname
Common Errors
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Fix: Wrong password or wrong storetype. Specify the correct type:
keytool -list -keystore file.p12 -storetype PKCS12 -storepass yourpass
keytool error: java.lang.Exception: Alias does not exist
Fix: List the keystore to see available aliases:
keytool -list -keystore server.p12 -storepass changeit
keytool error: java.lang.Exception: Failed to establish chain from reply
Fix: Import the CA certificate(s) before importing the signed certificate:
# Import CA first keytool -importcert -alias rootca -file ca.crt -keystore server.p12 -storepass changeit -noprompt # Then import your signed cert keytool -importcert -alias myserver -file signed.crt -keystore server.p12 -storepass changeit
Frequently Asked Questions
How do I generate a self-signed certificate with keytool?
Use: keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.p12 -storetype PKCS12 -validity 365 -storepass changeit
Can keytool export private keys?
No, keytool cannot directly export private keys. Convert to PKCS12 and use OpenSSL: openssl pkcs12 -in file.p12 -nocerts -nodes -out key.pem
How do I create a CSR from an existing key?
Use: keytool -certreq -alias mykey -keystore keystore.p12 -storepass changeit -file request.csr
How do I import a certificate chain?
Import certificates in order: root CA first, then intermediate(s), then your signed certificate. Use -importcert for each.
What is the difference between -genkey and -genkeypair?
They are identical. -genkeypair is the current name; -genkey is a deprecated alias for backward compatibility.
How do I convert JKS to PKCS12?
Use: keytool -importkeystore -srckeystore file.jks -srcstoretype JKS -destkeystore file.p12 -deststoretype PKCS12
Ready to Practice?
Try our interactive demo to practice keytool commands with visual feedback.
Related Resources
JKS Fundamentals
Understand Java KeyStore concepts, formats, and entry types before using keytool.
Keystore vs Truststore
Learn when to use keystores versus truststores in your Java applications.
Java Certificate Conversion
Convert between JKS, PKCS12, and PEM formats using keytool and OpenSSL.
PKCS#12/PFX Format Guide
Deep dive into the industry-standard PKCS#12 format supported by keytool.
Certificate File Formats
Understand PEM, DER, and other formats you'll encounter when using keytool.