< prev index next >
src/java.base/share/man/keytool.1
Print this page
@@ -20,11 +20,11 @@
.\" or visit www.oracle.com if you need additional information or have any
.\" questions.
.\"
.\" Automatically generated by Pandoc 2.3.1
.\"
-.TH "KEYTOOL" "1" "2019" "JDK 13" "JDK Commands"
+.TH "KEYTOOL" "1" "2020" "JDK 14" "JDK Commands"
.hy
.SH NAME
.PP
keytool \- a key and certificate management utility
.SH SYNOPSIS
@@ -323,14 +323,14 @@
The following commands creates four key pairs named \f[CB]ca\f[R],
\f[CB]ca1\f[R], \f[CB]ca2\f[R], and \f[CB]e1\f[R]:
.IP
.nf
\f[CB]
-keytool\ \-alias\ ca\ \-dname\ CN=CA\ \-genkeypair
-keytool\ \-alias\ ca1\ \-dname\ CN=CA\ \-genkeypair
-keytool\ \-alias\ ca2\ \-dname\ CN=CA\ \-genkeypair
-keytool\ \-alias\ e1\ \-dname\ CN=E1\ \-genkeypair
+keytool\ \-alias\ ca\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
+keytool\ \-alias\ ca1\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
+keytool\ \-alias\ ca2\ \-dname\ CN=CA\ \-genkeypair\ \-keyalg\ rsa
+keytool\ \-alias\ e1\ \-dname\ CN=E1\ \-genkeypair\ \-keyalg\ rsa
\f[R]
.fi
.PP
The following two commands create a chain of signed certificates;
\f[CB]ca\f[R] signs \f[CB]ca1\f[R] and \f[CB]ca1\f[R] signs \f[CB]ca2\f[R], all
@@ -363,11 +363,11 @@
command:
.RS
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
-{\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name
+\f[CB]\-keyalg\f[R] \f[I]alg\f[R]: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-groupname\f[R] \f[I]name\f[R]}: Group name.
For example, an Elliptic Curve name.
@@ -377,11 +377,11 @@
[\f[CB]\-dname\f[R] \f[I]name\f[R]]: Distinguished name
.IP \[bu] 2
{\f[CB]\-startdate\f[R] \f[I]date\f[R]}: Certificate validity start date
and time
.IP \[bu] 2
-[\f[CB]\-ext\f[R] \f[I]value\f[R]}*: X.509 extension
+{\f[CB]\-ext\f[R] \f[I]value\f[R]}*: X.509 extension
.IP \[bu] 2
{\f[CB]\-validity\f[R] \f[I]days\f[R]}: Validity number of days
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
@@ -501,11 +501,11 @@
.IP \[bu] 2
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process
.IP \[bu] 2
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password
.IP \[bu] 2
-{\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name
+\f[CB]\-keyalg\f[R] \f[I]alg\f[R]: Key algorithm name
.IP \[bu] 2
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size
.IP \[bu] 2
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name
.IP \[bu] 2
@@ -673,11 +673,11 @@
.B \f[CB]\-importkeystore\f[R]
The following are the available options for the
\f[CB]\-importkeystore\f[R] command:
.RS
.IP \[bu] 2
-{\f[CB]\-srckeystore\f[R] \f[I]keystore\f[R]}: Source keystore name
+\f[CB]\-srckeystore\f[R] \f[I]keystore\f[R]: Source keystore name
.IP \[bu] 2
{\f[CB]\-destkeystore\f[R] \f[I]keystore\f[R]}: Destination keystore name
.IP \[bu] 2
{\f[CB]\-srcstoretype\f[R] \f[I]type\f[R]}: Source keystore type
.IP \[bu] 2
@@ -1026,11 +1026,11 @@
.B \f[CB]\-printcrl\f[R]
The following are the available options for the \f[CB]\-printcrl\f[R]
command:
.RS
.IP \[bu] 2
-\f[CB]\-file\ crl\f[R]: Input file name
+{\f[CB]\-file\ crl\f[R]}: Input file name
.IP \[bu] 2
{\f[CB]\-v\f[R]}: Verbose output
.PP
Use the \f[CB]\-printcrl\f[R] command to read the Certificate Revocation
List (CRL) from \f[CB]\-file\ crl\f[R] .
@@ -1468,14 +1468,10 @@
.IP
.nf
\f[CB]
\-alias\ "mykey"
-\-keyalg
-\ \ \ \ "DSA"\ (when\ using\ \-genkeypair)
-\ \ \ \ "DES"\ (when\ using\ \-genseckey)
-
\-keysize
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "RSA")
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "DSA")
\ \ \ \ 256\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "EC")
\ \ \ \ 56\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DES")
@@ -1521,11 +1517,11 @@
any size
T}@T{
SHA256withDSA
T}
T{
-RSA \ \ \
+RSA
T}@T{
<= 3072
T}@T{
SHA256withRSA
T}
@@ -1776,11 +1772,11 @@
Create a keystore and then generate the key pair.
.PP
You can enter the command as a single line such as the following:
.RS
.PP
-\f[CB]keytool\ \-genkeypair\ \-dname\ "cn=myname,\ ou=mygroup,\ o=mycompany,\ c=mycountry"\ \-alias\ business\ \-keypass\f[R]
+\f[CB]keytool\ \-genkeypair\ \-dname\ "cn=myname,\ ou=mygroup,\ o=mycompany,\ c=mycountry"\ \-alias\ business\ \-keyalg\ rsa\ \-keypass\f[R]
\f[I]password\f[R]
\f[CB]\-keystore\ /working/mykeystore\ \-storepass\ password\ \-validity\ 180\f[R]
.RE
.PP
The command creates the keystore named \f[CB]mykeystore\f[R] in the
@@ -1788,31 +1784,31 @@
it the password specified by \f[CB]\-keypass\f[R].
It generates a public/private key pair for the entity whose
distinguished name is \f[CB]myname\f[R], \f[CB]mygroup\f[R],
\f[CB]mycompany\f[R], and a two\-letter country code of
\f[CB]mycountry\f[R].
-It uses the default DSA key generation algorithm to create the keys;
-both are 2048 bits
+It uses the RSA key generation algorithm to create the keys; both are
+2048 bits
.PP
-The command uses the default SHA256withDSA signature algorithm to create
+The command uses the default SHA256withRSA signature algorithm to create
a self\-signed certificate that includes the public key and the
distinguished name information.
The certificate is valid for 180 days, and is associated with the
private key in a keystore entry referred to by
\f[CB]\-alias\ business\f[R].
The private key is assigned the password specified by
\f[CB]\-keypass\f[R].
.PP
The command is significantly shorter when the option defaults are
accepted.
-In this case, no options are required, and the defaults are used for
-unspecified options that have default values.
+In this case, only \f[CB]\-keyalg\f[R] is required, and the defaults are
+used for unspecified options that have default values.
You are prompted for any required values.
You could have the following:
.RS
.PP
-\f[CB]keytool\ \-genkeypair\f[R]
+\f[CB]keytool\ \-genkeypair\ \-keyalg\ rsa\f[R]
.RE
.PP
In this case, a keystore entry with the alias \f[CB]mykey\f[R] is created,
with a newly generated key pair and a certificate that is valid for 90
days.
@@ -1822,14 +1818,13 @@
You are prompted for the distinguished name information, the keystore
password, and the private key password.
.PP
\f[B]Note:\f[R]
.PP
-The rest of the examples assume that you executed the
-\f[CB]\-genkeypair\f[R] command without specifying options, and that you
-responded to the prompts with values equal to those specified in the
-first \f[CB]\-genkeypair\f[R] command.
+The rest of the examples assume that you responded to the prompts with
+values equal to those specified in the first \f[CB]\-genkeypair\f[R]
+command.
For example, a distinguished name of
\f[CB]cn=\f[R]\f[I]myname\f[R]\f[CB],\ ou=\f[R]\f[I]mygroup\f[R]\f[CB],\ o=\f[R]\f[I]mycompany\f[R]\f[CB],\ c=\f[R]\f[I]mycountry\f[R]).
.SH REQUESTING A SIGNED CERTIFICATE FROM A CA
.PP
\f[B]Note:\f[R]
@@ -2040,17 +2035,16 @@
Intermediate CA (\f[CB]ca\f[R])
.IP \[bu] 2
SSL server (\f[CB]server\f[R])
.PP
Ensure that you store all the certificates in the same keystore.
-In the following examples, RSA is the recommended the key algorithm.
.IP
.nf
\f[CB]
-keytool\ \-genkeypair\ \-keystore\ root.jks\ \-alias\ root\ \-ext\ bc:c
-keytool\ \-genkeypair\ \-keystore\ ca.jks\ \-alias\ ca\ \-ext\ bc:c
-keytool\ \-genkeypair\ \-keystore\ server.jks\ \-alias\ server
+keytool\ \-genkeypair\ \-keystore\ root.jks\ \-alias\ root\ \-ext\ bc:c\ \-keyalg\ rsa
+keytool\ \-genkeypair\ \-keystore\ ca.jks\ \-alias\ ca\ \-ext\ bc:c\ \-keyalg\ rsa
+keytool\ \-genkeypair\ \-keystore\ server.jks\ \-alias\ server\ \-keyalg\ rsa
keytool\ \-keystore\ root.jks\ \-alias\ root\ \-exportcert\ \-rfc\ >\ root.pem
keytool\ \-storepass\ password\ \-keystore\ ca.jks\ \-certreq\ \-alias\ ca\ |
\ \ \ \ keytool\ \-storepass\ password\ \-keystore\ root.jks
@@ -2115,11 +2109,12 @@
public/private key pair and wrap the public key into a self\-signed
certificate with the following command.
See \f[B]Certificate Chains\f[R].
.RS
.PP
-\f[CB]keytool\ \-genkeypair\ \-alias\ duke\ \-keypass\f[R] \f[I]passwd\f[R]
+\f[CB]keytool\ \-genkeypair\ \-alias\ duke\ \-keyalg\ rsa\ \-keypass\f[R]
+\f[I]passwd\f[R]
.RE
.PP
This example specifies an initial \f[I]passwd\f[R] required by subsequent
commands to access the private key associated with the alias
\f[CB]duke\f[R].
@@ -2613,11 +2608,11 @@
.RE
.PP
A sample command using such a string is:
.RS
.PP
-\f[CB]keytool\ \-genkeypair\ \-dname\ "CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US"\ \-alias\ mark\f[R]
+\f[CB]keytool\ \-genkeypair\ \-dname\ "CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US"\ \-alias\ mark\ \-keyalg\ rsa\f[R]
.RE
.PP
Case doesn\[aq]t matter for the keyword abbreviations.
For example, CN, cn, and Cn are all treated the same.
.PP
< prev index next >