keytool - Key and Certificate Management Tool

Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.


keytool [ commands ]

See the What's New section for a detailed description of changes in IBM® SDK, Java™ Technology Edition, Version 7. Note that previously defined commands are still supported.


keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.

A certificate is a digitally signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. (See Certificate.) When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

The keytool command also enables users to administer secret keys used in symmetric encryption and decryption (Data Encryption Standard).

The keytool command stores the keys and certificates in a keystore.

The keytool command uses the jdk.certpath.disabledAlgorithms and security properties to determine which algorithms are considered a security risk. It emits warnings when disabled or legacy algorithms are being used. The jdk.certpath.disabledAlgorithms and security properties are defined in the <install_dir>/jre/lib/security/ file.