GitHubContribute in GitHub: Open doc issue|Edit online

Create keys

You can learn about creating keys, managing keys in a keystore and using those through the information provided here.

Generate a public/private key pair and a self-signed certificate
For example the following keytool command generates an RSA public/private key pair with alias "myserverkey" and a X.509 self-signed public key certificate:

keytool -genkeypair –alias myserverkey -dname cn=myserver.mydomain.com 
-validity 365 -keyalg RSA -keysize 1024
    -keypass mykeypass -storetype jceks -keystore mystore.jck -storepass 
mystorepass 

The distinguished name of the owner of the certificate is "cn=myserver.mydomain.com", which should be the same as the DNS name of the server that will use the self-signed certificate for SSL (for public key encryption the content of the certificate does not matter much). The certificate is valid for 365 days. The size of the generated RSA key is 1024 bytes. The password of the private key is "mykeypass". The key pair is stored in a keystore file mystore.jck with format JCEKS (if the file does not exist, it will be created). The password of the keystore is "mystorepass".

The mystore.jck keystore can be used as an SSL keystore of a server program that runs on the "myserver.mydomain.com" host. The keystore also contains a public key certificate for the private key, so it can be used as an SSL truststore for clients that connect to the server on "myserver.mydomain.com". (Although to give your private key to clients is completely unnecessary and generally a bad security practice.)

Obtain a certificate from a Certificate Authority
Normally the process of acquiring and using CA-signed certificates goes like this:

First a key pair and a self-signed certificate is generated (see section "Generate a public/private key pair and a self-signed certificate"). After that a certificate for the public key is requested from a Certification Authority. When the Certification Authority sends back the signed certificate, the certificate is imported into the appropriate truststore, replacing the self-signed certificate.

For example using keytool you can generate a Certificate Signing Request for the "myserverkey" key from the mystore.jck keystore like this:

keytool -certreq -file myreq.csr -alias myserverkey -keypass mykeypass 
-storetype jceks
    -keystore mystore.jck -storepass mystorepass

This command creates a Certificate Signing Request in the myRequest.csr file for the public key with alias "myserverkey". The created Certificate Signing Request now can be sent to a Certification Authority. When the new certificate arrives, you can import it in the keystore as described in section "Import public key certificate in a keystore". The following keytool command generates a 256 bit AES key with alias "myseckey":

keytool -genseckey -keyalg AES -alias myseckey -keysize 256 -keypass mykeypass 
-storetype jceks
    -keystore mystore.jck -storepass mystorepass 

The new key is stored in a JCEKS keystore file mystore.jck with password "mystorepass". The password that protects the secret key is "mykeypass".

Copy key from one keystore to another
For example you can copy the key pair created in section "Generate a public/private key pair and a self-signed certificate" with the following keytool command:

keytool -importkeystore  -srckeystore mystore.jck -destkeystore myotherstore.jks 
-srcstoretype jceks
    -deststoretype jks -srcstorepass mystorepass -deststorepass myotherstorepass 
-srcalias myserverkey
    -destalias myotherserverkey -srckeypass mykeypass -destkeypass myotherkeypass

The copy will be stored under alias "myotherserverkey" in the JKS keystore file myotherstore.jks (if it does not exist the file will be created).

Convert keystore from one format to another
For example you can convert the JCEKS keystore created in section "Generate a public/private key pair and a self-signed certificate" to a JKS keystore myotherstore.jks with the following keytool command:

keytool -importkeystore  -srckeystore mystore.jck -destkeystore 
myotherstore.jks -srcstoretype jcek
    -deststoretype jks -srcstorepass mystorepass -deststorepass 
myotherstorepass

The command will eventually ask for the password of each individual private or secret key inside the source keystore. Note that JKS and PKCS#12 keystores cannot hold secret keys. You should not try to convert a keystore that contains secret keys to either JKS or PKCS#12.

Export public key certificate from a keystore
The following command exports the public key certificate created in section "Generate a public/private key pair and a self-signed certificate" to a binary file myserverkey.der:

keytool -exportcert -alias myserverkey -file myserverkey.der 
-storetype JCEKS -keystore mystore.jck
    -storepass mystorepass

The resulting .der file contains the DER encoding of the X.509 certificate. It is a binary file. To get the same binary data in text form (base-64 encoded form of the DER encoding of the X.509 certificate) use the "-rfc" option of keytool:

keytool -exportcert -alias myserverkey -file myserverkey.arm 
-storetype JCEKS -keystore mystore.jck
    -storepass mystorepass -rfc

Import public key certificate in a keystore
To import a new trusted certificate in a keystore use a command like this:

keytool -importcert -alias myserverkey -file myserverkey.der 
-storetype JCEKS -keystore mystore.jck
    -storepass mystorepass

keytool will attempt to verify the signer of the certificate which you are trying to import. This means constructing a certificate chain from the imported certificate to some other trusted certificate. If a chain cannot be established, keytool will ask you whether you are certain that the certificate needs to be imported.

To import a certificate that is a response from a Certificate Authority to a Certificate Signing Request (this means you already have a private key in the keystore for that certificate) use a command like this:

keytool -importcert -alias myserverkey –keypass mykeypass -file 
myserverkey.der -storetype JCEKS -keystore mystore.jck
    -storepass mystorepass

Note that when you import a certificate for an existing private key, you have to specify the password of the private key. keytool will attempt to verify the signer of the certificate by constructing a certificate chain to a trusted certificate. If a chain cannot be established, the import will fail – you will not be asked to verify the authenticity of the certificate. To have a successful import of an answer to a Certificate Signing Request, you have to trust the Certificate Authority which issued the certificate. If your Certificate Authority is one of the popular ones (for example, VeriSign or Thawte) you could rely on the certificates in the default truststore of the JVM (java.home/lib/security/cacerts) by using the "-trustcacerts" option of keytool:

keytool -importcert -alias myserverkey –keypass mykeypass -file 
myserverkey.der -storetype JCEKS -keystore mystore.jck
    -storepass mystorepass –trustcacerts

Extend the validity of a certificate using keytool
Suppose you have a JCEKS keystore called mystore.jck that includes an expired (or about to expire) self-signed certificate whose alias name is "myserverkey". The keystore has the associated private key in it. Assume that the password for the keystore is "mystorepass" and the password for the private key is "mykeypass". Now, if you want to extend the validity of this certificate by another 365 days, you can run the following command using keytool:

keytool -selfcert -v -alias myserverkey –keypass mykeypass -validity 365 
–storetype jceks -keystore mystore.jck
    -storepass mystorepass 

The above operation will generate a new self-signed certificate, that has the same DN, SIGALG, KEYS as the original certificate but has a new SERIAL NUMBER and VALIDITY period.

Note: The generated new certificate will automatically replace the original one. So if you need the original one later for reference or for any reason, you must keep a copy of the original keystore before doing the certificate extension explained above.

Note that this works only for self-signed certificates. It actually generates a new self-signed certificate for the public key, so you need to export it and update the truststores of the SSL parties that you are going to communicate with.

Work with keys stored in PFX/PKCS#12 files
As far as Java™ is concerned PKCS#12 is just another type of keystore (like JCEKS and JKS). To work with PKCS#12 keystores just set the "-storetype" option of keytool to "pkcs12". For example the following command lists the content of a mystore.p12 PKCS#12 file with password "mystorepass":

keytool –list –storetype pkcs12 –keystore mystore.p12 –storepass mystorepass

Create a keystore file
You don’t need to create keystore files before you use them - keytool will automatically create a new keystore file, when it needs to write something to a file that does not exist. For example, if you generate a new key or import a certificate in a non-existing keystore, keytool will create the keystore file first.

Run keytool in FIPS mode
To run keytool in FIPS-compliant mode use the "-providerClass" option on each command like this:

keytool –list –storetype JCEKS –keystore mystore.jck –storepass mystorepass
    –providerClass com.ibm.crypto.fips.provider.IBMJCEFIPS