Java keytool and keystore tutorials

Summary: A collection of Java keytool and keystore tutorials, including genkey, export, list and import examples.

I've been working with the Java keytool command a lot lately, as I needed to learn all about it to license my "Hide your desktop icons" app with the TrueLicense software license manager. I think I've learned a lot about the Java keytool command, keystore files, and certificates, and I'm trying to simplify and share that information here.

Related Java keytool tutorials

To that end, here is a collection of "Java keytool, keystore, and certificate" tutorials I've created. The last link in this list is a very long Java keytool tutorial that was written specifically for TrueLicense users, but all the others should apply to any general keytool/keystore need you have:

• Using the Java keytool genkey command

Java keytool genkey FAQ: Can you share some examples of the Java keytool genkey command, and genkey process?

In my previous article on the Java keytool command, keystore files, and certificates, I demonstrated how to generate a private key with the keytool genkey option, but to simplify things a little, I thought I'd demonstrate the keytool genkey command again here by itself.

The keytool genkey command - create a private key and keystore

You can easily create a private key and put it in a keystore with the Java keytool command. For instance, to create a keystore named "privateKey.store" that contains a private key with the alias "foo", I can use this keytool genkey command:

keytool -genkey -alias foo -keystore privateKey.store

This keytool genkey command can be read as:

• I want to generate a new private key (genkey)
• I want to create an alias for this key named "foo"
• I want to store this information in the file named privateKey.store

Of course a better name for a private key might be something like "AlsPrivateKey", but to show that you can name your alias anything, I'm using the string "foo".

Respond to the keytool genkey prompts

After issuing this keytool/genkey command, keytool prompts you with the following questions. I have provided my own example answers to these prompts so you can see exactly how this works:

$ keytool -genkey -alias foo -keystore privateKey.store

Enter keystore password:  ABC123
What is your first and last name?
  [Unknown]:  Alvin Alexander
What is the name of your organizational unit?
  [Unknown]:  Application Development
What is the name of your organization?
  [Unknown]:  devdaily.com
What is the name of your City or Locality?
  [Unknown]:  Louisville
What is the name of your State or Province?
  [Unknown]:  KY
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US correct?
  [no]:  yes

Enter key password for <foo>
      (RETURN if same as keystore password):  123XYZ

There are at least a few important points to note here:

• The password for accessing the keystore file is "ABC123".
• The password for my alias is "123XYZ".

Both of these passwords are very important, and you'll see how they are used in the next few steps.

• Using the Java keytool export command

Java keytool export FAQ: Can you share some examples of the Java keytool export command and export process?

Once you've created a private key in a Java keystore file, you can export that private key to a certificate file using the Java "keytool export" command. I'll demonstrate that command in this tutorial.

Using "keytool export" to create a certificate file

Assuming we have a Java keystore file that contains a private key (as demonstrated in this "keytool genkey private key example") that we want to export to a certificate file, and we know the password for the private key keystore, this process is simple.

To create a Java certificate file, we use this keytool export command:

keytool -export -alias foo -file certfile.cer -keystore privateKey.store

This keytool command can be read like this:

• Read from the keystore file named privateKey.store.
• Look in that file for the alias named "foo".
• Export the public key to the new file named certfile.cer.

Using keytool export

Here's how this keytool export command works when I run it from my the command line:

$ keytool -export -alias foo -file certfile.cer -keystore privateKey.store

Enter keystore password:  ABC123
Certificate stored in file <certfile.cer>

In this example, the password for my private key keystore file (privateKey.store) is "ABC123".

At this point your certfile file should have been created, and you can now share that with other people, who will presumably want to import it into their public keystore. I demonstrate that process in my Java keytool import tutorial.

• Using  the Java keytool list command

Java keytool list FAQ: Can you share some examples of the Java keytool list command, and Java keytool list process?

In a long, earlier article on Java keytool, keystore, and certificates, I demonstrated how to list the contents of a Java keystore file, but to simplify things a little for this tutorial, I'm just going to show how to query a Java keystore file using the keytool list command.

View Java keystore information with "keytool list"

In short, to query the contents of a Java keystore file, you use the keytool list command, like this:

keytool -list -v -keystore privateKey.store

In this example, the name of my keystore file is "privateKey.store", and the -list and -v (verbose) options tell the keytool command that I want to "list the contents" of the keystore file.

Assuming you know the password for the Java keystore file named privateKey.store, the complete process, including your input and the "keytool list" output, looks like this:

$ keytool -list -v -keystore privateKey.store

Enter keystore password:  ABC123

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: foo
Creation date: Apr 25, 2010
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Issuer: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Serial number: 4bd4e793
Valid from: Sun Apr 25 17:08:35 AKDT 2010 until: Sat Jul 24 17:08:35 AKDT 2010
Certificate fingerprints:
	 MD5:  55:20:B2:68:FD:0F:4E:BF:D5:E5:D5:04:47:6C:E3:10
	 SHA1: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5

*******************************************
*******************************************

Java keytool list output

As you can see, this "keytool list" command shows a lot of information about your keystore. I won't add much to it here, as you can read through those contents. But I will mention this: If your keystore contains more than one alias, the output for each alias would be shown by this "keytool list" command, and the output for each alias will look just like the output shown above.

• Using  the Java keytool import command

Java keytool export FAQ: Can you share some examples of the Java keytool export command and export process?

Once you've created a private key in a Java keystore file, you can export that private key to a certificate file using the Java "keytool export" command. I'll demonstrate that command in this tutorial.

Using "keytool export" to create a certificate file

Assuming we have a Java keystore file that contains a private key (as demonstrated in this "keytool genkey private key example") that we want to export to a certificate file, and we know the password for the private key keystore, this process is simple.

To create a Java certificate file, we use this keytool export command:

keytool -export -alias foo -file certfile.cer -keystore privateKey.store

This keytool command can be read like this:

• Read from the keystore file named privateKey.store.
• Look in that file for the alias named "foo".
• Export the public key to the new file named certfile.cer.

Using keytool export

Here's how this keytool export command works when I run it from my the command line:

$ keytool -export -alias foo -file certfile.cer -keystore privateKey.store

Enter keystore password:  ABC123
Certificate stored in file <certfile.cer>

In this example, the password for my private key keystore file (privateKey.store) is "ABC123".

At this point your certfile file should have been created, and you can now share that with other people, who will presumably want to import it into their public keystore. I demonstrate that process in my Java keytool import tutorial.

• Java keytool command, keystore files, and certificates (TrueLicense, tutorial)

Java keytool and keystore FAQ: Can you share some Java keytool and keystore command examples?

In creating my "Hide Desktop Icons" software application, I decided to venture into the world of commercial software, selling this app for a whopping 99 cents. While that price is trivial, creating the "software licensing" code for this application was anything but trivial.

I finally decided to use a Java licensing tool named TrueLicense to assist with the licensing, and TrueLicense quickly led me down the Java keytool and keystore path, which is what this article is about: How to use the Java keytool command to work with private and public keys, and work with intermediate certificate files.

Java and TrueLicense public key, private key background

If you've never used a tool like TrueLicense before, it's important to understand how it works, so you can understand the need for the Java keytool commands below. I won't go into great detail on this, but these are the basic points behind TrueLicense:

• You create a private key keystore, which you never (ever) give to anyone.
• You work through a couple of steps to distribute a public key keystore with your application.
• When a customer buys a software license for your application, you create that license however you want to, and sign the license with your private key. (I'm not showing that Java code here, but I will show it in a future article.)
• You send the signed license file to your customer.
• The application you've given your customer must be smart enough to import this signed license file into its environment. This again requires Java code, which I will share in the future.

How this normally works

During this process, I think it's also important to note how this process normally works, i.e., when you're not taking all these steps for a tool like TrueLicense.

In the "normal" process, two people are usually involved: 1) the person who wants to share their public key, and 2) the person who wants to use the first person's public key.

Usually the first person does these tasks:

• Create the private key keystore file.
• Export the certificate file from the private key keystore.
• Sends the certificate to the second person.

Then, the second person normally does this task:

• Imports the certificate from the first person into their public key keystore.

Because of the way the TrueLicense software licensing process works, I'm showing one person doing all these tasks here. But if you get confused in the process, just come back to this section, and remember that two people are normally involved in this process.

Java keytool and keystore tasks in this tutorial

In this Java keytool/keystore tutorial, I'll demonstrate the following keytool tasks:

• How to create a keystore that contains a private key.
• How to create a temporary certificate from that private keystore.
• How to use that certificate to generate a public key keystore.
• How to query and verify your keystores with the keytool command.

Create private key and keystore

To get started, the first thing we need to do is create a private key keystore. This is going to be a file on the filesystem, and I'm going to name mine privateKey.store. I start to create this private key keystore with this keytool command:

keytool -genkey -alias ftpKey -keystore privateKey.store

This keytool command can be read as:

• I want to generate a new private key (genkey)
• I want to create an alias for this key named "ftpKey"
• I want to store this information in the file named privateKey.store

After issuing this command, keytool prompts you with the following questions. I have provided my own example answers to these prompts so you can see exactly how this works.

(Note: In all the commands that follow, the text that the user types is shown in a bold font.)

$ keytool -genkey -alias ftpKey -keystore privateKey.store

Enter keystore password:  foobar
What is your first and last name?
  [Unknown]:  Alvin Alexander
What is the name of your organizational unit?
  [Unknown]:  Application Development
What is the name of your organization?
  [Unknown]:  devdaily.com
What is the name of your City or Locality?
  [Unknown]:  Louisville
What is the name of your State or Province?
  [Unknown]:  KY
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US correct?
  [no]:  yes

Enter key password for <ftpKey>
      (RETURN if same as keystore password):  123xyz

There are at least a few important points to note here:

• The password for accessing the keystore file is "foobar".
• The password for my alias is "123xyz".

Both of these passwords are very important, and you'll see how they are used in the next few steps.

Generate a temporary certificate file

Remember that our end game here is to generate a keystore that contains our public key. To do that, we have to take this one intermediate step of creating a "certificate file" from our private keystore.

To create this certificate file, we use this keytool command:

keytool -export -alias ftpKey -file certfile.cer -keystore privateKey.store

This command can be read like this: Export the information for the alias "ftpKey" to the file named "certfile.cer", getting the information you need from the file named privateKey.store.

Here's how this command works when I run it from my the command line:

$ keytool -export -alias ftpKey -file certfile.cer -keystore privateKey.store

Enter keystore password:  foobar
Certificate stored in file <certfile.cer>

As you can see, you don't have to do too much there, but you must know the password for your private key keystore (privateKey.store).

Import this certificate into a new public keystore

Now that we have this intermediate certificate file, we can create our public key keystore file from it, using this command:

keytool -import -alias publicFtpCert -file certfile.cer -keystore publicKey.store

This command can be read as: Import the alias named publicFtpCert from the file named certfile.cer, and store this information in the file named publicKey.store.

When you run this keytool command from the command line, the process looks like this:

$ keytool -import -alias publicCertFromAl -file certfile.cer -keystore publicKey.store

Enter keystore password:  BARBAZ
Owner: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Issuer: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Serial number: 4bd4e793
Valid from: Sun Apr 25 17:08:35 AKDT 2010 until: Sat Jul 24 17:08:35 AKDT 2010
Certificate fingerprints:
       MD5:  55:20:B2:68:FD:0F:4E:BF:D5:E5:D5:04:47:6C:E3:10
       SHA1: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5
Trust this certificate? [no]:  yes
Certificate was added to keystore

A few important points here:

• The alias used here (publicCertFromAl) does not have to correspond to the alias used when the private key keystore and certificate file were created.
• This command either creates the file named publicKey.store if it doesn't exist, or adds the information for this alias to that file if it already exists. For my needs, I created a new file.
• The password shown above is the password for the keystore named publicKey.store. It should be different than the password used for your private key keystore.
• You might run this command in a number of different scenarios. For instance, if you maintained your own public key keystore, and you regularly receive certificates from people you know who want to sign their documents, you'll use this command to import their certificate into your keystore. In this scenario, your friends will run the "keygen" and "export" commands shown above, and you will run the "import" command shown here.

Also, at this point you no longer need the intermediate certificate file, so you can delete it:

rm certfile.cer

How to view information about a keystore (keytool list)

Technically that's all you need to know to a) create a private keystore, b) export a certificate for an alias in your private keystore, and c) import that certificate into your keystore of known public certificates, but ... it's also very nice to be able to query a keystore to see what it contains. To do that, you use the "list" option of the keytool command, like this:

keytool -list -v -keystore privateKey.store

Assuming you know the password for the keystore named privateKey.store, the process looks like this:

$ keytool -list -v -keystore privateKey.store

Enter keystore password:  foobar

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: ftpkey
Creation date: Apr 25, 2010
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Issuer: CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US
Serial number: 4bd4e793
Valid from: Sun Apr 25 17:08:35 AKDT 2010 until: Sat Jul 24 17:08:35 AKDT 2010
Certificate fingerprints:
	 MD5:  55:20:B2:68:FD:0F:4E:BF:D5:E5:D5:04:47:6C:E3:10
	 SHA1: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5

*******************************************
*******************************************

As you can see, this "keytool list" command shows a lot of information about your keystore. I won't add much to it here, you can read through those contents. But I will add this: If your keystore contains more than one alias, the output for each alias would be shown by this "list" command, and the output for each alias will look just like the output shown above.

Java keytool and keystore commands - summary

There is much more to be written about the Java keytool command, and about Java keystore files, but I'll leave this tutorial at this point until anyone has a question.

I hope all these Java keytool and keystore tutorials are helpful. This whole process has been a learning experience, that's for sure. At the very least I now know what keytool, keystore, genkey, export, import, private key, public key, and certificate mean.

Ref: http://alvinalexander.com/java/java-keytool-keystore-certificate-tutorials