keytool command options
keytool manages and manipulates a
keystore , a repository for public and private keys and public key certificates.
keytool defines various commands for generating keys, importing data into the keystore, and exporting and displaying keystore data. Keys and certificates are stored in a keystore using a case-insensitive name or
alias .
keytool uses this alias to refer to a key or certificate.
The first option to
keytool always specifies the basic command to be performed. Subsequent options provide details about how the command is to be performed. Only the command must be specified. If a command requires an option that does not have a default value,
keytool prompts you interactively for the value.
-certreq
Generates a certificate signing request in PKCS#10 format for the specified alias. The request is written to the specified file or to the standard output stream. The request should be sent to a certificate authority (CA), which authenticates the requestor and sends back a signed certificate authenticating the requestor's public key. This signed certificate can then be imported into the keystore with the -import command. This command uses the following options: -alias, -file, -keypass, -keystore, -sigalg, -storepass, -storetype, and -v.
-delete
Deletes a specified alias from a specified keystore. This command uses the following options: -alias, -keystore, -storepass, -storetype, and -v.
-export
Writes the certificate associated with the specified alias to the specified file or to standard output. This command uses the following options: -alias, -file, -keystore, -rfc, -storepass, -storetype, and -v.
-genkey
Generates a public/private key pair and a self-signed X.509 certificate for the public key. Self-signed certificates are not often useful by themselves, so this command is often followed by -certreq. This command uses the following options: -alias, -dname, -keyalg, -keypass, -keysize, -keystore, -sigalg, -storepass, -storetype, -v, and -validity.
-help
Lists all available
keytool commands and their options. This command is not used with any other options.
-identitydb
Reads keys and certificates from a legacy identity database managed with the deprecated
javakey program and stores them into a keystore so that they can be manipulated by
keytool . The identity database is read from the specified file or from standard input if no file is specified. The keys and certificates are written into the specified keystore file, which is automatically created if it does not exist yet. This command uses the following options: -file, -keystore, -storepass, -storetype, and -v.
-import
Reads a certificate or PKCS#7-formatted certificate chain from a specified file or from standard input and stores it as a trusted certificate in the keystore with the specified alias. This command uses the following options: -alias, -file, -keypass, -keystore, -noprompt, -storepass, -storetype, -TRustcacerts, and -v.
-keyclone
Duplicates the keystore entry of a specified alias and stores it in the keystore under a new alias. This command uses the following options: -alias, -dest, -keypass, -keystore, -new, -storepass, -storetype, and -v.
-keypasswd
Changes the password that encrypts the private key associated with a specified alias. This command uses the following options: -alias, -keypass, -new, -storetype, and -v.
-list
Displays (on standard output) the fingerprint of the certificate associated with the specified alias. With the -v option, prints certificate details in human-readable format. With -rfc, prints certificate contents in a machine-readable, printable-encoding format. This command uses the following options: -alias, -keystore, -rfc, -storepass, -storetype, and -v.
-printcert
Displays the contents of a certificate read from the specified file or from standard input. Unlike most
keytool commands, this one does not use a keystore. This command uses the following options: -file and -v.
-selfcert
Creates a self-signed certificate for the public key associated with the specified alias and uses it to replace any certificate or certificate chain already associated with that alias. This command uses the following options: -alias, -dname, -keypass, -keystore, -sigalg, -storepass, -storetype, -v, and -validity.
-storepasswd
Changes the password that protects the integrity of the keystore as a whole. The new password must be at least six characters long. This command uses the following options: -keystore, -new, -storepass, -storetype, and -v.
keytool commands can be passed various options from the following list. Many of these options have reasonable default values.
keytool interactively prompts for any unspecified options that do not have defaults:
-alias name
Specifies the alias to be manipulated in the keystore. The default is "mykey".
-dest newalias
Specifies the new alias name (the destination alias) for the -keyclone command. If not specified,
keytool prompts for a value.
-dname X.500-distinguished-name
Specifies the X.500 distinguished name to appear on the certificate generated by -selfcert or -genkey. A distinguished name is a highly qualified name intended to be globally unique. For example:
CN=David Flanagan, OU=Editorial, O=OReilly, L=Cambridge, S=Massachusetts, C=US
The -genkey command of
keytool prompts for a distinguished name if none is specified. The -selfcert command uses the distinguished name of the current certificate if no replacement name is specified.
-file file
Specifies the input or output file for many of the
keytool commands. If left unspecified,
keytool reads from the standard input or writes to the standard output.
-keyalg algorithm-name
Used with -genkey to specify what type of cryptographic keys to generate. In the default Java implementation shipped from Sun, the only supported algorithm is "DSA"; this is the default if this option is omitted.
-keypass password
Specifies the password that encrypts a private key in the keystore. If this option is unspecified,
keytool first tries the -storepass password. If that does not work, it prompts for the appropriate password.
-keysize size
Used with the -genkey command to specify the length in bits of the generated keys. If unspecified, the default is 1024.
-keystore filename
Specifies the location of the keystore file. If unspecified, a file named
.keystore in the user's home directory is used.
-new new-password-or-alias
Used with the -keyclone command to specify the new alias name and with -keypasswd and -storepasswd to specify the new password. If unspecified,
keytool prompts for the value of this option.
-noprompt
Used with the -import command to disable interactive prompting of the user when a chain of trust cannot be established for an imported certificate. If this option is not specified, the -import command prompts the user.
-rfc
Used with the -list and -export commands to specify that certificate output should be in the printable encoding format specified by RFC 1421. If this option is not specified, -export outputs the certificate in binary format, and -list lists only the certificate fingerprint. This option cannot be combined with -v in the -list command.
-sigalg algorithm-name
Specifies a digital signature algorithm that signs a certificate. If omitted, the default for this option depends on the type of underlying public key. If it is a DSA key, the default algorithm is "SHA1withDSA". If the key is an RSA key, the default signature algorithm is "MD5withRSA".
-storepass password
Specifies a password that protects the integrity of the entire keystore file. This password also serves as a default password for any private keys that do not have their own -keypass specified. If -storepass is not specified,
keytool prompts for it. The password must be at least six characters long.
-storetype type
Specifies the type of the keystore to be used. If this option is not specified, the default is taken from the system security properties file. Often, the default is "JKS"Sun's Java Keystore type.
-trustcacerts
Used with the -import command to specify that the self-signed certificate authority certificates contained in the keystore in the
jre/lib/security/cacerts file should be considered trusted. If this option is omitted,
keytool ignores that file.
-v
Specifies verbose mode, if present, and makes many
keytool commands produce additional output.
-validity time
Used with the -genkey and -selfcert commands to specify the period of validity (in days) of the generated certificate. If unspecified, the default is 90 days.
jarsigner ,
policytool