keytool | Key and Certificate Management Tool |
keytool command options
keytool manages and manipulates a keystore , a repository for public and private keys and public key certificates. keytool defines various commands for generating keys, importing data into the keystore, and exporting and displaying keystore data. Keys and certificates are stored in a keystore using a case-insensitive name or alias . keytool uses this alias to refer to a key or certificate.
The first option to keytool always specifies the basic command to be performed. Subsequent options provide details about how the command is to be performed. Only the command must be specified. If a command requires an option that does not have a default value, keytool prompts you interactively for the value.
Generates a certificate signing request in PKCS#10 format for the specified alias. The request is written to the specified file or to the standard output stream. The request should be sent to a certificate authority (CA), which authenticates the requestor and sends back a signed certificate authenticating the requestor 's public key. This signed certificate can then be imported into the keystore with the -import command. This command uses the following options: -alias , -file , -keypass , -keystore , -sigalg , -storepass , -storetype , and -v .
Deletes a specified alias from a specified keystore. This command uses the following options: -alias , -keystore , -storepass , -storetype , and -v .
Writes the certificate associated with the specified alias to the specified file or to standard output. This command uses the following options: -alias , -file , -keystore , -rfc , -storepass , -storetype , and -v .
Generates a public/private key pair and a self-signed X.509 certificate for the public key. Self-signed certificates are not often useful by themselves , so this command is often followed by -certreq . This command uses the following options: -alias , - dname , -keyalg , -keypass , -keysize , -keystore , -sigalg , -storepass , -storetype , -v , and -validity .
Lists all available keytool commands and their options. This command is not used with any other options.
Reads keys and certificates from a legacy identity database managed with the deprecated javakey program and stores them into a keystore so that they can be manipulated by keytool . The identity database is read from the specified file or from standard input if no file is specified. The keys and certificates are written into the specified keystore file, which is automatically created if it does not exist yet. This command uses the following options: -file , -keystore , -storepass , -storetype , and -v .
Reads a certificate or PKCS#7-formatted certificate chain from a specified file or from standard input and stores it as a trusted certificate in the keystore with the specified alias. This command uses the following options: -alias , -file , -keypass , -keystore , -noprompt , -storepass , -storetype , -TRustcacerts , and -v .
Duplicates the keystore entry of a specified alias and stores it in the keystore under a new alias. This command uses the following options: -alias , -dest , -keypass , -keystore , -new , -storepass , -storetype , and -v .
Changes the password that encrypts the private key associated with a specified alias. This command uses the following options: -alias , -keypass , -new , -storetype , and -v .
Displays (on standard output) the fingerprint of the certificate associated with the specified alias. With the -v option, prints certificate details in human-readable format. With -rfc , prints certificate contents in a machine-readable, printable-encoding format. This command uses the following options: -alias , -keystore , -rfc , -storepass , -storetype , and -v .
Displays the contents of a certificate read from the specified file or from standard input. Unlike most keytool commands, this one does not use a keystore. This command uses the following options: -file and -v .
Creates a self-signed certificate for the public key associated with the specified alias and uses it to replace any certificate or certificate chain already associated with that alias. This command uses the following options: -alias , -dname , -keypass , -keystore , -sigalg , -storepass , -storetype , -v , and -validity .
Changes the password that protects the integrity of the keystore as a whole. The new password must be at least six characters long. This command uses the following options: -keystore , -new , -storepass , -storetype , and -v .
The various keytool commands can be passed various options from the following list. Many of these options have reasonable default values. keytool interactively prompts for any unspecified options that do not have defaults:
Specifies the alias to be manipulated in the keystore. The default is "mykey".
Specifies the new alias name (the destination alias) for the -keyclone command. If not specified, keytool prompts for a value.
Specifies the X.500 distinguished name to appear on the certificate generated by -selfcert or -genkey . A distinguished name is a highly qualified name intended to be globally unique. For example:
CN=David Flanagan, OU=Editorial, O=OReilly, L=Cambridge, S=Massachusetts, C=US
The -genkey command of keytool prompts for a distinguished name if none is specified. The -selfcert command uses the distinguished name of the current certificate if no replacement name is specified.
Specifies the input or output file for many of the keytool commands. If left unspecified, keytool reads from the standard input or writes to the standard output.
Used with -genkey to specify what type of cryptographic keys to generate. In the default Java implementation shipped from Sun, the only supported algorithm is "DSA"; this is the default if this option is omitted.
Specifies the password that encrypts a private key in the keystore. If this option is unspecified, keytool first tries the -storepass password. If that does not work, it prompts for the appropriate password.
Used with the -genkey command to specify the length in bits of the generated keys. If unspecified, the default is 1024.
Specifies the location of the keystore file. If unspecified, a file named .keystore in the user 's home directory is used.
Used with the -keyclone command to specify the new alias name and with -keypasswd and -storepasswd to specify the new password. If unspecified, keytool prompts for the value of this option.
Used with the -import command to disable interactive prompting of the user when a chain of trust cannot be established for an imported certificate. If this option is not specified, the -import command prompts the user.
Used with the -list and -export commands to specify that certificate output should be in the printable encoding format specified by RFC 1421. If this option is not specified, -export outputs the certificate in binary format, and -list lists only the certificate fingerprint. This option cannot be combined with -v in the -list command.
Specifies a digital signature algorithm that signs a certificate. If omitted, the default for this option depends on the type of underlying public key. If it is a DSA key, the default algorithm is "SHA1withDSA". If the key is an RSA key, the default signature algorithm is "MD5withRSA".
Specifies a password that protects the integrity of the entire keystore file. This password also serves as a default password for any private keys that do not have their own -keypass specified. If -storepass is not specified, keytool prompts for it. The password must be at least six characters long.
Specifies the type of the keystore to be used. If this option is not specified, the default is taken from the system security properties file. Often, the default is "JKS"Sun's Java Keystore type.
Used with the -import command to specify that the self-signed certificate authority certificates contained in the keystore in the jre/lib/security/cacerts file should be considered trusted. If this option is omitted, keytool ignores that file.
Specifies verbose mode, if present, and makes many keytool commands produce additional output.
Used with the -genkey and -selfcert commands to specify the period of validity (in days) of the generated certificate. If unspecified, the default is 90 days.
jarsigner , policytool