keytool
manages Java keystores and certificates
TLDR
SYNOPSIS
keytool command [options]
DESCRIPTION
keytool is a key and certificate management utility included with the Java Development Kit. It generates cryptographic key pairs, creates certificate signing requests (CSRs), imports and exports X.509 certificates, and manages keystores that store private keys and trusted certificate chains used by Java applications for SSL/TLS, code signing, and authentication.The tool supports multiple keystore formats including the legacy Java KeyStore (JKS) and the industry-standard PKCS#12 format. It is commonly used to configure HTTPS for Java-based web servers, establish trust relationships by importing CA certificates, and inspect the contents of existing keystores. Each entry in a keystore is identified by an alias, and access is protected by a store-level password with optional per-key passwords.
PARAMETERS
-genkeypair
Generate key pair.-list
List keystore entries.-exportcert
Export certificate.-importcert
Import certificate or certificate chain.-certreq
Generate a certificate signing request (CSR).-printcert
Print the content of a certificate file.-importkeystore
Import entries from another keystore.-delete
Delete a keystore entry.-changealias
Change an entry's alias.-genseckey
Generate a secret (symmetric) key.-alias NAME
Entry alias.-keystore FILE
Keystore file.-storetype TYPE
Keystore type (JKS, PKCS12).-storepass PASS
Keystore password.-v
Verbose output.--help
Display help information.
CAVEATS
Part of the JDK, available wherever Java is installed. The default keystore type changed from JKS to PKCS12 in Java 9. Keystore passwords and key passwords should be kept secure. The `-storepass` flag exposes the password in process listings; omit it to be prompted interactively.
HISTORY
keytool has been part of the JDK since early versions, providing certificate and key management for Java applications.