Common Options

The -v option can appear for all commands except -help. If it appears, it signifies "verbose" mode and more information is provided in the output.

The -Jjavaoption option might appear for any command. If it appears, the specified javaoption string is passed through directly to the Java™ interpreter. This option must not contain any spaces. It is useful for adjusting the execution environment or memory usage. For a list of possible interpreter options, type java -h or java -X on the command line.

These options may appear for all commands operating on a keystore:
-storetype storetype
This qualifier specifies the type of keystore to be instantiated.
-keystore keystore
The keystore location.

If the JKS storetype is used and a keystore file does not yet exist, then certain keytool commands may result in a new keystore file being created. For example, if keytool -genkeypair is invoked and the -keystore option is not specified, the default keystore file named .keystore in the user's home directory will be created if it does not already exist. Similarly, if the -keystore ks_file option is specified but ks_file does not exist, then it will be created

Note that the input stream from the -keystore option is passed to the KeyStore.load method. If NONE is specified as the URL, then a null stream is passed to the KeyStore.load method. NONE should be specified if the KeyStore is not file-based (for example, if it resides on a hardware token device).

-storepass[:env| :file] argument
The password which is used to protect the integrity of the keystore.

If the modifier env or file is not specified, then the password has the value argument, which must be at least 6 characters long. Otherwise, the password is retrieved as follows:

  • env: Retrieve the password from the environment variable named argument.
  • file: Retrieve the password from the file named argument.
    Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).

The password must be provided to all commands that access the keystore contents. For such commands, when the -storepass option is not provided at the command line, the user is prompted for it.

When retrieving information from the keystore, the password is optional; if no password is given, the integrity of the retrieved information cannot be checked and a warning is displayed.

RACF® keystores do not store a password in the keyring, so no password is used for a RACF keystore. Therefore, the -storepass option is not supported for RACF keystores.
-providerName provider_name
Used to identify a cryptographic service provider's name when listed in the security properties file.
-providerClass provider_class_name
Used to specify the name of cryptographic service provider's class file when the service provider is not listed in the security properties file.
-providerArg provider_arg
Used in conjunction with -providerClass. Represents an optional string input argument for the constructor of provider_class_name.
-protected
Either true or false. This value should be specified as true if a password must be given via a protected authentication path such as a dedicated PIN reader.
-ext {name{:critical} {=value}}
Denotes an X.509 certificate extension. The option can be used in -genkeypair and -gencert operations to embed extensions into the certificate generated. The option can also be used in -certreq operations to show which extensions are requested in the certificate request. The option can appear multiple times. The name argument can be a supported extension name (see Named Extensions) or an arbitrary OID number. The value variable, when provided, denotes the argument for the extension. When value is omitted, the default value of the extension or the extension requires no argument. The :critical argument, when provided, means that the isCritical attribute of the extension is true; otherwise, it is false. You can use :c in place of :critical.

Named extensions

The keytool command supports these named extensions, which are not case-sensitive:
BC or BasicContraints
ca:{true|false}[,pathlen:<len>] (full form)
You can also specify <len>, which is short for ca:true,pathlen:<len>. When <len> is omitted, ca:true applies.
KU or KeyUsage
usage(,usage)*
Where usage can be one of the following values:
  • digitalSignature
  • nonRepudiation (contentCommitment)
  • keyEncipherment
  • dataEncipherment
  • keyAgreement
  • keyCertSign
  • cRLSign
  • encipherOnly
  • decipherOnly
The usage argument can be abbreviated with the first few letters (dig for digitalSignature) or in camel-case style (dS for digitalSignature or cRLS for cRLSign), as long as no ambiguity is found. The usage values are case-sensitive.
EKU or ExtendedKeyUsage
usage(,usage)*
Where usage can be one of the following values:
  • anyExtendedKeyUsage
  • serverAuth
  • clientAuth
  • codeSigning
  • emailProtection
  • timeStamping
  • OCSPSigning
  • or any OID string.
The usage argument can be abbreviated with the first few letters or in camel-case style, as long as no ambiguity is found. The usage values are case-sensitive.
SAN or SubjectAlternativeName
type:value(,type:value)*
Where type can be one of the following values:
  • EMAIL
  • URI
  • DNS
  • IP
  • OID
The value argument is the string format value for the type.
IAN or IssuerAlternativeName
The same options as SubjectAlternativeName apply.
SIA or SubjectInfoAccess
method:location-type:location-value (,method:location-type:location-value)*
Where method can be one of the following values:
  • timeStamping
  • caRepository
  • any OID.
The location-type and location-value arguments can be any type:value supported by the SubjectAlternativeName extension.
AIA or AuthorityInfoAccess
The same options apply as SubjectInfoAccess. The method argument can be ocsp, caIssuers, or any OID.
When name is OID, the value is the hexadecimal dumped DER encoding of the extnValue for the extension, excluding the OCTET STRING type and length bytes. Any extra character other than standard hexadecimal numbers (0-9, a-f, A-F) are ignored in the HEX string. Therefore, both 01:02:03:04 and 01020304 are accepted as identical values. When there is no value, the extension has an empty value field.
A special name honored, which is used only in -gencert, denotes how the extensions that are included in the certificate request should be honored. The value for this name is a comma-separated list of all (all requested extensions are honored), name{:[critical|non-critical]} (the named extension is honored, but using a different isCritical attribute) and -name (used with all, denotes an exception). Requested extensions are not honored by default.
If, besides the -ext honored option, another named or OID -ext option is provided, this extension is added to those already honored. However, if this name (or OID) also appears in the honored value, its value and criticality overrides the one in the request.
The subjectKeyIdentifier extension is always created. For non-self-signed certificates, the authorityKeyIdentifier is created.
Note: Users should be aware that some combinations of extensions (and other certificate fields) might not conform to the Internet standard. For more information, see Certificate Conformance Warning.