Java Keytool有如下命令:
certreq
changealias
delete
exportcert
genkeypair
genseckey
help
importcert
importkeystore
keypasswd
list
printcert
storepasswd
下面是一些常用命令和示例
用于创建或导入命令:
生成 Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks-keysize 2048
生成一个自签名证书
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
为已有的keystore生成 certificate signing request (CSR)
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
为已有的java keystore导入一个根节点或中间结点CA certificate
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
为已有的java keystore导入一个signed primary certificate
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
用于验证核实的命令
核实一个stand-alone certificate
keytool -printcert -v -file mydomain.crt
核实 keystore中的证书列表
keytool -list -v -keystore keystore.jks
根据别名来核实一个keyshore证书项
keytool -list -v -keystore keystore.jks -alias mydomain
其他命令
从一个 Java Keytool keystore删除一个证书
keytool -delete -alias mydomain -keystore keystore.jks
更改Java keystore密码
keytool -storepasswd -new new_storepass -keystore keystore.jks
从keystore导出证书
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
列出 Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
导入一个新的CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool 的参数说明:(JRE1.6)
-certreq [-v] [-protected]
[-alias ] [-sigalg ]
[-file ] [-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-changealias [-v] [-protected] -alias -destalias
[-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-delete [-v] [-protected] -alias
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-exportcert [-v] [-rfc] [-protected]
[-alias ] [-file ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-genkeypair [-v] [-protected]
[-alias ]
[-keyalg ] [-keysize ]
[-sigalg ] [-dname ]
[-validity ] [-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-genseckey [-v] [-protected]
[-alias ] [-keypass ]
[-keyalg ] [-keysize ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-help
-importcert [-v] [-noprompt] [-trustcacerts] [-protected]
[-alias ]
[-file ] [-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-importkeystore [-v]
[-srckeystore ] [-destkeystore ]
[-srcstoretype ] [-deststoretype ]
[-srcstorepass ] [-deststorepass ]
[-srcprotected] [-destprotected]
[-srcprovidername ]
[-destprovidername ]
[-srcalias [-destalias ]
[-srckeypass ] [-destkeypass ]]
[-noprompt]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-keypasswd [-v] [-alias ]
[-keypass ] [-new ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-list [-v | -rfc] [-protected]
[-alias ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
-printcert [-v] [-file ]
-storepasswd [-v] [-new ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]