< prev index next >
src/java.base/share/man/keytool.1
Print this page
*** 20,30 ****
.\" or visit www.oracle.com if you need additional information or have any
.\" questions.
.\"
.\" Automatically generated by Pandoc 2.3.1
.\"
! .TH "KEYTOOL" "1" "2019" "JDK 13" "JDK Commands"
.hy
.SH NAME
.PP
keytool \- a key and certificate management utility
.SH SYNOPSIS
--- 20,30 ----
.\" or visit www.oracle.com if you need additional information or have any
.\" questions.
.\"
.\" Automatically generated by Pandoc 2.3.1
.\"
! .TH "KEYTOOL" "1" "2020" "JDK 14" "JDK Commands"
.hy
.SH NAME
.PP
keytool \- a key and certificate management utility
.SH SYNOPSIS
*** 323,336 ****
The following commands creates four key pairs named \f[CB]ca\f[R],
\f[CB]ca1\f[R], \f[CB]ca2\f[R], and \f[CB]e1\f[R]:
.IP
.nf
\f[CB]
! keytool\ \-alias\ ca\ \-dname\ CN=CA\ \-genkeypair
! keytool\ \-alias\ ca1\ \-dname\ CN=CA\ \-genkeypair
! keytool\ \-alias\ ca2\ \-dname\ CN=CA\ \-genkeypair
! keytool\ \-alias\ e1\ \-dname\ CN=E1\ \-genkeypair
\f[R]
.fi
.PP
The following two commands create a chain of signed certificates;
\f[CB]ca\f[R] signs \f[CB]ca1\f[R] and \f[CB]ca1\f[R] signs \f[CB]ca2\f[R], all
--- 323,336 ----
The following commands creates four key pairs named \f[CB]ca\f[R],
\f[CB]ca1\f[R], \f[CB]ca2\f[R], and \f[CB]e1\f[R]:
.IP
.nf
\f[CB]
! keytool\ \-alias\ ca\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
! keytool\ \-alias\ ca1\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
! keytool\ \-alias\ ca2\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
! keytool\ \-alias\ e1\ \-dname\ CN=E1\ \-genkeypair\ \-keyalg\ rsa
\f[R]
.fi
.PP
The following two commands create a chain of signed certificates;
\f[CB]ca\f[R] signs \f[CB]ca1\f[R] and \f[CB]ca1\f[R] signs \f[CB]ca2\f[R], all
*** 363,373 ****
command:
.RS
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
! {\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-groupname\f[R] \f[I]name\f[R]}: Group name.
For example, an Elliptic Curve name.
--- 363,373 ----
command:
.RS
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
! \f[CB]\-keyalg\f[R] \f[I]alg\f[R]: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-groupname\f[R] \f[I]name\f[R]}: Group name.
For example, an Elliptic Curve name.
*** 377,387 ****
[\f[CB]\-dname\f[R] \f[I]name\f[R]]: Distinguished name
.IP \[bu] 2
{\f[CB]\-startdate\f[R] \f[I]date\f[R]}: Certificate validity start date
and time
.IP \[bu] 2
! [\f[CB]\-ext\f[R] \f[I]value\f[R]}*: X.509 extension
.IP \[bu] 2
{\f[CB]\-validity\f[R] \f[I]days\f[R]}: Validity number of days
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
--- 377,387 ----
[\f[CB]\-dname\f[R] \f[I]name\f[R]]: Distinguished name
.IP \[bu] 2
{\f[CB]\-startdate\f[R] \f[I]date\f[R]}: Certificate validity start date
and time
.IP \[bu] 2
! {\f[CB]\-ext\f[R] \f[I]value\f[R]}*: X.509 extension
.IP \[bu] 2
{\f[CB]\-validity\f[R] \f[I]days\f[R]}: Validity number of days
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
*** 501,511 ****
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
! {\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name
.IP \[bu] 2
--- 501,511 ----
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
! \f[CB]\-keyalg\f[R] \f[I]alg\f[R]: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name
.IP \[bu] 2
*** 673,683 ****
.B \f[CB]\-importkeystore\f[R]
The following are the available options for the
\f[CB]\-importkeystore\f[R] command:
.RS
.IP \[bu] 2
! {\f[CB]\-srckeystore\f[R] \f[I]keystore\f[R]}: Source keystore name
.IP \[bu] 2
{\f[CB]\-destkeystore\f[R] \f[I]keystore\f[R]}: Destination keystore name
.IP \[bu] 2
{\f[CB]\-srcstoretype\f[R] \f[I]type\f[R]}: Source keystore type
.IP \[bu] 2
--- 673,683 ----
.B \f[CB]\-importkeystore\f[R]
The following are the available options for the
\f[CB]\-importkeystore\f[R] command:
.RS
.IP \[bu] 2
! \f[CB]\-srckeystore\f[R] \f[I]keystore\f[R]: Source keystore name
.IP \[bu] 2
{\f[CB]\-destkeystore\f[R] \f[I]keystore\f[R]}: Destination keystore name
.IP \[bu] 2
{\f[CB]\-srcstoretype\f[R] \f[I]type\f[R]}: Source keystore type
.IP \[bu] 2
*** 1026,1036 ****
.B \f[CB]\-printcrl\f[R]
The following are the available options for the \f[CB]\-printcrl\f[R]
command:
.RS
.IP \[bu] 2
! \f[CB]\-file\ crl\f[R]: Input file name
.IP \[bu] 2
{\f[CB]\-v\f[R]}: Verbose output
.PP
Use the \f[CB]\-printcrl\f[R] command to read the Certificate Revocation
List (CRL) from \f[CB]\-file\ crl\f[R] .
--- 1026,1036 ----
.B \f[CB]\-printcrl\f[R]
The following are the available options for the \f[CB]\-printcrl\f[R]
command:
.RS
.IP \[bu] 2
! {\f[CB]\-file\ crl\f[R]}: Input file name
.IP \[bu] 2
{\f[CB]\-v\f[R]}: Verbose output
.PP
Use the \f[CB]\-printcrl\f[R] command to read the Certificate Revocation
List (CRL) from \f[CB]\-file\ crl\f[R] .
*** 1468,1481 ****
.IP
.nf
\f[CB]
\-alias\ "mykey"
- \-keyalg
- \ \ \ \ "DSA"\ (when\ using\ \-genkeypair)
- \ \ \ \ "DES"\ (when\ using\ \-genseckey)
-
\-keysize
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "RSA")
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "DSA")
\ \ \ \ 256\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "EC")
\ \ \ \ 56\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DES")
--- 1468,1477 ----
*** 1521,1531 ****
any size
T}@T{
SHA256withDSA
T}
T{
! RSA \ \ \
T}@T{
<= 3072
T}@T{
SHA256withRSA
T}
--- 1517,1527 ----
any size
T}@T{
SHA256withDSA
T}
T{
! RSA
T}@T{
<= 3072
T}@T{
SHA256withRSA
T}
*** 1776,1786 ****
Create a keystore and then generate the key pair.
.PP
You can enter the command as a single line such as the following:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-dname\ "cn=myname,\ ou=mygroup,\ o=mycompany,\ c=mycountry"\ \-alias\ business\ \-keypass\f[R]
\f[I]password\f[R]
\f[CB]\-keystore\ /working/mykeystore\ \-storepass\ password\ \-validity\ 180\f[R]
.RE
.PP
The command creates the keystore named \f[CB]mykeystore\f[R] in the
--- 1772,1782 ----
Create a keystore and then generate the key pair.
.PP
You can enter the command as a single line such as the following:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-dname\ "cn=myname,\ ou=mygroup,\ o=mycompany,\ c=mycountry"\ \-alias\ business\ \-keyalg\ rsa\ \-keypass\f[R]
\f[I]password\f[R]
\f[CB]\-keystore\ /working/mykeystore\ \-storepass\ password\ \-validity\ 180\f[R]
.RE
.PP
The command creates the keystore named \f[CB]mykeystore\f[R] in the
*** 1788,1818 ****
it the password specified by \f[CB]\-keypass\f[R].
It generates a public/private key pair for the entity whose
distinguished name is \f[CB]myname\f[R], \f[CB]mygroup\f[R],
\f[CB]mycompany\f[R], and a two\-letter country code of
\f[CB]mycountry\f[R].
! It uses the default DSA key generation algorithm to create the keys;
! both are 2048 bits
.PP
! The command uses the default SHA256withDSA signature algorithm to create
a self\-signed certificate that includes the public key and the
distinguished name information.
The certificate is valid for 180 days, and is associated with the
private key in a keystore entry referred to by
\f[CB]\-alias\ business\f[R].
The private key is assigned the password specified by
\f[CB]\-keypass\f[R].
.PP
The command is significantly shorter when the option defaults are
accepted.
! In this case, no options are required, and the defaults are used for
! unspecified options that have default values.
You are prompted for any required values.
You could have the following:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\f[R]
.RE
.PP
In this case, a keystore entry with the alias \f[CB]mykey\f[R] is created,
with a newly generated key pair and a certificate that is valid for 90
days.
--- 1784,1814 ----
it the password specified by \f[CB]\-keypass\f[R].
It generates a public/private key pair for the entity whose
distinguished name is \f[CB]myname\f[R], \f[CB]mygroup\f[R],
\f[CB]mycompany\f[R], and a two\-letter country code of
\f[CB]mycountry\f[R].
! It uses the RSA key generation algorithm to create the keys; both are
! 2048 bits
.PP
! The command uses the default SHA256withRSA signature algorithm to create
a self\-signed certificate that includes the public key and the
distinguished name information.
The certificate is valid for 180 days, and is associated with the
private key in a keystore entry referred to by
\f[CB]\-alias\ business\f[R].
The private key is assigned the password specified by
\f[CB]\-keypass\f[R].
.PP
The command is significantly shorter when the option defaults are
accepted.
! In this case, only \f[CB]\-keyalg\f[R] is required, and the defaults are
! used for unspecified options that have default values.
You are prompted for any required values.
You could have the following:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-keyalg\ rsa\f[R]
.RE
.PP
In this case, a keystore entry with the alias \f[CB]mykey\f[R] is created,
with a newly generated key pair and a certificate that is valid for 90
days.
*** 1822,1835 ****
You are prompted for the distinguished name information, the keystore
password, and the private key password.
.PP
\f[B]Note:\f[R]
.PP
! The rest of the examples assume that you executed the
! \f[CB]\-genkeypair\f[R] command without specifying options, and that you
! responded to the prompts with values equal to those specified in the
! first \f[CB]\-genkeypair\f[R] command.
For example, a distinguished name of
\f[CB]cn=\f[R]\f[I]myname\f[R]\f[CB],\ ou=\f[R]\f[I]mygroup\f[R]\f[CB],\ o=\f[R]\f[I]mycompany\f[R]\f[CB],\ c=\f[R]\f[I]mycountry\f[R]).
.SH REQUESTING A SIGNED CERTIFICATE FROM A CA
.PP
\f[B]Note:\f[R]
--- 1818,1830 ----
You are prompted for the distinguished name information, the keystore
password, and the private key password.
.PP
\f[B]Note:\f[R]
.PP
! The rest of the examples assume that you responded to the prompts with
! values equal to those specified in the first \f[CB]\-genkeypair\f[R]
! command.
For example, a distinguished name of
\f[CB]cn=\f[R]\f[I]myname\f[R]\f[CB],\ ou=\f[R]\f[I]mygroup\f[R]\f[CB],\ o=\f[R]\f[I]mycompany\f[R]\f[CB],\ c=\f[R]\f[I]mycountry\f[R]).
.SH REQUESTING A SIGNED CERTIFICATE FROM A CA
.PP
\f[B]Note:\f[R]
*** 2040,2056 ****
Intermediate CA (\f[CB]ca\f[R])
.IP \[bu] 2
SSL server (\f[CB]server\f[R])
.PP
Ensure that you store all the certificates in the same keystore.
- In the following examples, RSA is the recommended the key algorithm.
.IP
.nf
\f[CB]
! keytool\ \-genkeypair\ \-keystore\ root.jks\ \-alias\ root\ \-ext\ bc:c
! keytool\ \-genkeypair\ \-keystore\ ca.jks\ \-alias\ ca\ \-ext\ bc:c
! keytool\ \-genkeypair\ \-keystore\ server.jks\ \-alias\ server
keytool\ \-keystore\ root.jks\ \-alias\ root\ \-exportcert\ \-rfc\ >\ root.pem
keytool\ \-storepass\ password\ \-keystore\ ca.jks\ \-certreq\ \-alias\ ca\ |
\ \ \ \ keytool\ \-storepass\ password\ \-keystore\ root.jks
--- 2035,2050 ----
Intermediate CA (\f[CB]ca\f[R])
.IP \[bu] 2
SSL server (\f[CB]server\f[R])
.PP
Ensure that you store all the certificates in the same keystore.
.IP
.nf
\f[CB]
! keytool\ \-genkeypair\ \-keystore\ root.jks\ \-alias\ root\ \-ext\ bc:c\ \-keyalg\ rsa
! keytool\ \-genkeypair\ \-keystore\ ca.jks\ \-alias\ ca\ \-ext\ bc:c\ \-keyalg\ rsa
! keytool\ \-genkeypair\ \-keystore\ server.jks\ \-alias\ server\ \-keyalg\ rsa
keytool\ \-keystore\ root.jks\ \-alias\ root\ \-exportcert\ \-rfc\ >\ root.pem
keytool\ \-storepass\ password\ \-keystore\ ca.jks\ \-certreq\ \-alias\ ca\ |
\ \ \ \ keytool\ \-storepass\ password\ \-keystore\ root.jks
*** 2115,2125 ****
public/private key pair and wrap the public key into a self\-signed
certificate with the following command.
See \f[B]Certificate Chains\f[R].
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-alias\ duke\ \-keypass\f[R] \f[I]passwd\f[R]
.RE
.PP
This example specifies an initial \f[I]passwd\f[R] required by subsequent
commands to access the private key associated with the alias
\f[CB]duke\f[R].
--- 2109,2120 ----
public/private key pair and wrap the public key into a self\-signed
certificate with the following command.
See \f[B]Certificate Chains\f[R].
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-alias\ duke\ \-keyalg\ rsa\ \-keypass\f[R]
! \f[I]passwd\f[R]
.RE
.PP
This example specifies an initial \f[I]passwd\f[R] required by subsequent
commands to access the private key associated with the alias
\f[CB]duke\f[R].
*** 2613,2623 ****
.RE
.PP
A sample command using such a string is:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-dname\ "CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US"\ \-alias\ mark\f[R]
.RE
.PP
Case doesn\[aq]t matter for the keyword abbreviations.
For example, CN, cn, and Cn are all treated the same.
.PP
--- 2608,2618 ----
.RE
.PP
A sample command using such a string is:
.RS
.PP
! \f[CB]keytool\ \-genkeypair\ \-dname\ "CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US"\ \-alias\ mark\ \-keyalg\ rsa\f[R]
.RE
.PP
Case doesn\[aq]t matter for the keyword abbreviations.
For example, CN, cn, and Cn are all treated the same.
.PP
< prev index next >