% java keytool, certificate, encryption ## Creating # Generate a Java keystore and key pair keytool -genkey -alias -keyalg RSA -keystore -keysize # Generate a certificate signing request (CSR) for an existing Java keystore keytool -certreq -alias -keystore -file # Import a root or intermediate CA certificate to an existing Java keystore keytool -import -trustcacerts -alias root -file -keystore # Import a signed primary certificate to an existing Java keystore keytool -import -trustcacerts -alias -file -keystore # Generate a keystore and self-signed certificate keytool -genkey -keyalg RSA -alias -keystore -storepass -validity -keysize ## Verifying # Check a stand-alone certificate keytool -printcert -v -file # Check which certificates are in a Java keystore keytool -list -v -keystore # Check a particular keystore entry using an alias keytool -list -v -keystore -alias ## Other # Remove a certificate from a keystore keytool -delete -alias -keystore # Change the password of a keystore keytool -storepasswd -keystore -new # Export a certificate from a keystore keytool -export -alias -file -keystore # List the trusted CA Certs from the default Java Trusted Certs Keystore keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts # Import New Certificate Authority into the default Java Trusted Certs Keystore keytool -import -trustcacerts -file -alias -keystore $JAVA_HOME/jre/lib/security/cacerts # Sensible/common default alternatives $ VALIDITY: printf "DAYS\tCOMMENT\n1\ta day\n30\ta month\n365\ta year\n730\ttwo years" --- --column 1 --headers 1 $ RSA_LENGTH: printf "KEY LENGTH\tCOMMENT\n2048\t\tDefault\n4096\t\tBetter\n8192\t\tSlow?" --- --column 1 --headers 1 # Attempt to find files with the appropriate endings, default to everything. $ INPUT_CRT: ls -a | grep -e "$.crt\|.cer\|.der$" || ls -a $ INPUT_PEM: ls -a | grep -e "$.pem$" || ls -a $ INPUT_JKS: ls -a | grep -e "$.jks$" || ls -a