Common Options
The -v option can appear for all commands except -help. If it appears, it signifies "verbose" mode and more information is provided in the output.
The -Jjavaoption option might appear for any command. If it appears, the
specified javaoption string is passed through directly to the Java™ interpreter. This option must not contain any spaces. It is useful for
adjusting the execution environment or memory usage. For a list of possible interpreter options,
type java -h
or java -X
on the command line.
-storetype storetype
- This qualifier specifies the type of keystore to be instantiated.
-keystore keystore
- The keystore location.
If the JKS storetype is used and a keystore file does not yet exist, then certain keytool commands may result in a new keystore file being created. For example, if
keytool -genkeypair
is invoked and the -keystore option is not specified, the default keystore file named .keystore in the user's home directory will be created if it does not already exist. Similarly, if the-keystore ks_file
option is specified but ks_file does not exist, then it will be createdNote that the input stream from the -keystore option is passed to the KeyStore.load method. If
NONE
is specified as the URL, then a null stream is passed to the KeyStore.load method.NONE
should be specified if the KeyStore is not file-based (for example, if it resides on a hardware token device). -storepass[:env| :file] argument
- The password which is used to protect the integrity of the keystore.
If the modifier env or file is not specified, then the password has the value argument, which must be at least 6 characters long. Otherwise, the password is retrieved as follows:
- env: Retrieve the password from the environment variable named argument.
- file: Retrieve the password from the file named argument.Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).
The password must be provided to all commands that access the keystore contents. For such commands, when the -storepass option is not provided at the command line, the user is prompted for it.
When retrieving information from the keystore, the password is optional; if no password is given, the integrity of the retrieved information cannot be checked and a warning is displayed.
RACF® keystores do not store a password in the keyring, so no password is used for a RACF keystore. Therefore, the -storepass option is not supported for RACF keystores. -providerName provider_name
- Used to identify a cryptographic service provider's name when listed in the security properties file.
-providerClass provider_class_name
- Used to specify the name of cryptographic service provider's class file when the service provider is not listed in the security properties file.
-providerArg provider_arg
- Used in conjunction with
-providerClass
. Represents an optional string input argument for the constructor of provider_class_name. -protected
- Either
true
orfalse
. This value should be specified astrue
if a password must be given via a protected authentication path such as a dedicated PIN reader. -ext {name{:critical} {=value}}
- Denotes an X.509 certificate extension. The option can be used
in
-genkeypair
and-gencert
operations to embed extensions into the certificate generated. The option can also be used in-certreq
operations to show which extensions are requested in the certificate request. The option can appear multiple times. Thename
argument can be a supported extension name (see Named Extensions) or an arbitrary OID number. Thevalue
variable, when provided, denotes the argument for the extension. Whenvalue
is omitted, the default value of the extension or the extension requires no argument. The:critical
argument, when provided, means that the isCritical attribute of the extension is true; otherwise, it is false. You can use:c
in place of:critical
.
Named extensions
- BC or BasicContraints
ca:{true|false}[,pathlen:<len>]
(full form)- KU or KeyUsage
usage(,usage)*
- EKU or ExtendedKeyUsage
-
usage(,usage)*
- SAN or SubjectAlternativeName
type:value(,type:value)*
- IAN or IssuerAlternativeName
- The same options as
SubjectAlternativeName
apply. - SIA or SubjectInfoAccess
method:location-type:location-value (,method:location-type:location-value)*
- AIA or AuthorityInfoAccess
- The same options apply as
SubjectInfoAccess
. The method argument can beocsp
,caIssuers
, or any OID.