Java‎ > ‎


Java Keytool

SSL for Tomcat/Jboss/Weblogic using Java keystore.

List keys in the keystore

keytool -list -keystore ssl.keystore

Import a certificate into the keystore

keytool -import -keystore ssl.keystore -file cert.cer

Delete a certificate off of a keystore

keytool -delete -alias <alias looked up from -list>

Change keystore cert alias from 1 to tomcat

keytool -changealias -alias 1 -destalias tomcat -keystore <pathto>/cacerts

Change keystore's password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Change private key's pssword for alias duke

keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass

Generating a keystore using openssl

openssl pkcs12 -export -chain -CAfile ca.crt -in cert.crt -inkey cert.key -out keystore.tomcat -name 1 -passout pass:mypass

Note that creation of ca.crt is tricky. If you just copy your intermediate CA bundle provided by the issuer you will get this error:

Error unable to get issuer certificate getting chain.

to create a ca.crt that would work with this command you would need the universal CA Root certificate of your issuer. So create it using:

cat UnivRootCA.crt > ca.crt
cat IntermediateCABundle.crt >> ca.crt

Note that order matters too, the universal root CA has to be on top!