Tuesday, 21 June 2016

keytool command examples Java - add view ssl certificate in keyStore trustStore

keytool command in Java is a tool for managing certificates intokeyStore and trustStore which is used to store certificate and requires during SSL handshake process. By using keytool command you can do many things but some of the most common operation is viewing certificate stored in keystore, importing new certificates into keyStore, delete any certificate from keystore etc. For those who are not familiar keyStore, trustStore and SSL Setup for Java application , Here is a brief overview on What is a trustStore and keyStore in Java. Both trustStore andkeyStrore is used to store certificate signed by signer authority or CA (Certificate authority), with keyStore additionally storing personal certificate for client which is used during client authentication on SSL handshake process if its enable. In this article we will see some basic example of keytool command in Java to find how many certificates we have in keyStore , viewing those certificates, adding new certificates and deleting old certificates from keyStore or trustStore in Java.


How to use keytool command in Java

Java keytool command example - add certificate list import keystore Following are some most common or frequently used example of keytool command which comes when you installed JDK. just type keytool command in your command prompt and it will show lot of command line option if your PATH is set correctly for Java. If Path is not set properly it will complain that not able to find keytool command. Don't worry you just need to add JAVA_HOME/bin directory in your path to get keytool command working.

keytool command to find how many certificates are in keyStore:
This is the first example of keytool command which will show you how many certificates are stored in trustStore or keyStore file :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 81 entries

digicertassuredidrootca, 07/01/2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
trustcenterclass2caii, 07/01/2008, trustedCertEntry,

above keytool command shows that default keystore jssecacerts, which comes along with JRE and present in JAVA_HOMEdirectory on path  JAVA_HOME/JRE/lib/security has 81 certificates in it and keyStore type is JKS which stands for Java Key Store. One of those certificates are from digicert

Now if you want to see details of certificates e.g. Common name (CN) and other attribute you can use following keytool command to view details of certificates stored in keyStore in Java :

keytool command to view certificate details from keyStore :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -v -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 81 entries

Alias name: digicertassuredidrootca
Creation date: 07/01/2008
Entry type: trustedCertEntry

Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d846fe8fe560fc1bf03039
Valid from: Thu Nov 09 20:00:00 VET 2006 until: Sun Nov 09 19:30:00 VET 2031
Certificate fingerprints:
         MD5:  87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
         SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
         Signature algorithm name: SHA1withRSA
         Version: 3

Now if you want to import any certificate into this keystore you can use following keytool command :

keytool command for adding certificate in keystore and trustStore :

keytool -import -alias adding_certificate_keystore  -file self.cer -keystore jssecacerts

this will print certificate details and prompt you to accept the certificate, once you confirm that by typing Yes, certificate will be added into your keyStore. For verification purpose you can re run previous keytool command to get total number of certificate in keystore. For example if we run following keytool command , it should print 82 certificates in keyStore :

test@nykdev32:/cygdrive/c/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -keystore jssecacerts
Enter keystore password:  changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 82 entries

Another useful keytool command option is -printcert which prints details of a certificate stored in .cer file :

~/ keytool -printcert -file test.cer

That's all on some basic keytool command example for viewing and adding certificates into keystore and trustStore in Java. I still prefer a GUI tool for creating keystore and managing certificates but keytool is good alternative because its comes along with JDK installation and available in most places.

Java Tutorials from java67 blog


No comments:

Post a Comment