لطفا منتظر باشید ...
Synopsis
keytool command options
Description
keytool manages
and manipulates a
keystore , a repository for public and
private keys and public key certificates.
keytool defines various commands for generating
keys, importing data into the keystore, and exporting and displaying
keystore data.
Keys and certificates are stored in a keystore using a
case-insensitive name or alias .
keytool uses this alias to refer to a key or
certificate.The first option to keytool always specifies the
basic command to be performed. Subsequent options provide details
about how the command is to be performed. Only the command must be
specified. If a command requires an option that does not have a
default value, keytool prompts you interactively
for the value.
Commands
- -certreq
Generates
a certificate signing request in PKCS#10 format for the specified
alias. The request is written to the specified file or to the
standard output stream. The request should be sent to a certificate
authority (CA), which authenticates the requestor and sends back a
signed certificate authenticating the requestor's
public key. This signed certificate can then be imported into the
keystore with the -import command. This command
uses the following options: -alias,
-file, -keypass,
-keystore, -sigalg,
-storepass, -storetype, and
-v.- -delete
Deletes a specified alias from a specified keystore. This command
uses the following options: -alias,
-keystore, -storepass,
-storetype, and -v.- -export
Writes the certificate associated with the specified alias to the
specified file or to standard output. This command uses the following
options: -alias, -file,
-keystore, -rfc,
-storepass, -storetype, and
-v.- -genkey
Generates a public/private key pair and a self-signed X.509
certificate for the public key. Self-signed certificates are not
often useful by themselves, so this command is often followed by
-certreq. This command uses the following options:
-alias, -dname,
-keyalg, -keypass,
-keysize, -keystore,
-sigalg, -storepass,
-storetype, -v, and
-validity.- -help
Lists all available keytool commands and their
options. This command is not used with any other options.- -identitydb
Reads keys and certificates from a legacy identity database managed
with the deprecated javakey program and stores
them into a keystore so that they can be manipulated by
keytool . The identity database is read from the
specified file or from standard input if no file is specified. The
keys and certificates are written into the specified keystore file,
which is automatically created if it does not exist yet. This command
uses the following options: -file,
-keystore, -storepass,
-storetype, and -v.- -import
Reads a certificate or PKCS#7-formatted certificate chain from a
specified file or from standard input and stores it as a trusted
certificate in the keystore with the specified alias. This command
uses the following options: -alias,
-file, -keypass,
-keystore, -noprompt,
-storepass, -storetype,
-TRustcacerts, and -v.- -keyclone
Duplicates the keystore entry of a specified alias and stores it in
the keystore under a new alias. This command uses the following
options: -alias, -dest,
-keypass, -keystore,
-new, -storepass,
-storetype, and -v.- -keypasswd
Changes the password that encrypts the private key associated with a
specified alias. This command uses the following options:
-alias, -keypass,
-new, -storetype, and
-v.- -list
Displays (on standard
output) the fingerprint of the certificate associated with the
specified alias. With the -v option, prints
certificate details in human-readable format. With
-rfc, prints certificate contents in a
machine-readable, printable-encoding format. This command uses the
following options: -alias,
-keystore, -rfc,
-storepass, -storetype, and
-v.- -printcert
Displays the contents of a certificate read from the specified file
or from standard input. Unlike most keytool
commands, this one does not use a keystore. This command uses the
following options: -file and
-v.- -selfcert
Creates a self-signed certificate for
the public key associated with the specified alias and uses it to
replace any certificate or certificate chain already associated with
that alias. This command uses the following options:
-alias, -dname,
-keypass, -keystore,
-sigalg, -storepass,
-storetype, -v, and
-validity.- -storepasswd
Changes the password that protects
the integrity of the keystore as a whole. The new password must be at
least six characters long. This command uses the following options:
-keystore, -new,
-storepass, -storetype, and
-v.
Options
The
various keytool commands can be passed various
options from the following list. Many of these options have
reasonable default values. keytool interactively
prompts for any unspecified options that do not have defaults:
- -alias name
Specifies the alias to be manipulated in the keystore. The default is
"mykey".- -dest newalias
Specifies the new alias name (the destination alias) for the
-keyclone command. If not specified,
keytool prompts for a value.- -dname X.500-distinguished-name
Specifies the X.500
distinguished name to appear on the certificate generated by
-selfcert or -genkey. A
distinguished name is a highly qualified name intended to be globally
unique. For example:CN=David Flanagan, OU=Editorial, O=OReilly, L=Cambridge, S=Massachusetts, C=US
The -genkey command of
keytool prompts for a distinguished name if none
is specified. The -selfcert command uses the
distinguished name of the current certificate if no replacement name
is specified.- -file file
Specifies the input or output file for
many of the keytool commands. If left
unspecified, keytool reads from the standard
input or writes to the standard output.- -keyalg algorithm-name
Used with -genkey
to specify what type of cryptographic keys to generate. In the
default Java implementation shipped from Sun, the only supported
algorithm is "DSA"; this is the
default if this option is omitted.- -keypass password
Specifies the password that encrypts a private key in the keystore.
If this option is unspecified, keytool first
tries the -storepass password. If that does not
work, it prompts for the appropriate password.- -keysize size
Used with the -genkey command to specify the
length in bits of the generated keys. If unspecified, the default is
1024.- -keystore filename
Specifies the location of the keystore file. If unspecified, a file
named .keystore in the user's
home directory is used.- -new new-password-or-alias
Used with the -keyclone command to specify the new
alias name and with -keypasswd and
-storepasswd to specify the new password. If
unspecified, keytool prompts for the value of
this option.- -noprompt
Used with the -import command to disable
interactive prompting of the user when a chain of trust cannot be
established for an imported certificate. If this option is not
specified, the -import command prompts the user.- -rfc
Used with the -list and -export
commands to specify that certificate output should be in the
printable encoding format specified by RFC 1421. If this option is
not specified, -export outputs the certificate in
binary format, and -list lists only the
certificate fingerprint. This option cannot be combined with
-v in the -list command.- -sigalg algorithm-name
Specifies a digital signature
algorithm that signs a certificate. If omitted, the default for this
option depends on the type of underlying public key. If it is a DSA
key, the default algorithm is
"SHA1withDSA". If the key is an RSA
key, the default signature algorithm is
"MD5withRSA".- -storepass password
Specifies a password that protects the integrity of the entire
keystore file. This password also serves as a default password for
any private keys that do not have their own
-keypass specified. If
-storepass is not specified,
keytool prompts for it. The password must be at
least six characters long.- -storetype type
Specifies the type of the keystore to
be used. If this option is not specified, the default is taken from
the system security properties file. Often, the default is
"JKS"Sun's
Java Keystore type.- -trustcacerts
Used with the
-import command to specify that the self-signed
certificate authority certificates contained in the keystore in the
jre/lib/security/cacerts file should be
considered trusted. If this option is omitted,
keytool ignores that file.- -v
Specifies verbose mode, if present, and makes many
keytool commands produce additional output.- -validity time
Used with
the -genkey and -selfcert
commands to specify the period of validity (in days) of the generated
certificate. If unspecified, the default is 90 days.
See also
jarsigner , policytool
