Keytool is a tool used by Java systems to configure and manipulate Keystores. The following are a list of  commands that allow you to generate a new Java  keystore file, create a CSR, import certificates, convert, and check keystores.

The Italic parts in the conversions below are examples of you own files, or your own unique naming conventions. Keep track of all your files, alias’s, and passwords.


  • Generate a Java keystore and key pair:
    • keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
  • Generate a certificate signing request (CSR) for an existing Java keystore: 
    • keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Generate a keystore and self-signed certificate:
    • keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048


  • Import a intermediate CA certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore.jks
  • Import a root CA certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias root -file root.crt -keystore keystore.jks
  • Import a signed SSL primary certificate to an existing Java keystore:
    • keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Java Keytool Commands for Conversion:

If you need to change the type of keystore.

  • PFX keystore to JKS keystore:
    • keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS
  • JKS keystore to PFX keystore:
    • keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx

Java Keytool Commands for Checking:

If you need to check the information within a certificate, or Java keystore, use these commands.

  • Check a stand-alone certificate:
    • keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore:
    • keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias:
    • keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands:

  • Delete a certificate from a Java Keytool keystore:
    • keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password:
    • keytool -storepasswd -new newstorepass -keystore keystore.jks
  • Export a certificate from a keystore:
    • keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs:
    • keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs:
    • keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to convert your keystore from one environment to another such as… A tomcat system that uses keystores .jks and move it over to a Apache system or IIS system it is usually easier to just generate a new CSR keypair from those respective systems and perform a reissue of the certificate. Although there is a way to convert by using OpenSSL or use a conversion application such as Portecle.

LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.