Generating Java KeyStore using Keytool utility

As we all know about Java keystore utility as keytool can used to generate keystore and maintain certificates based on its entity.  Please see for my post Java Keytool Commands for more details.

In this post we will see how to generate a keystore by providing different options.

We use  "-genkeypair" or "-genkey" command to generate new keystore.  Let see what are Option are there while using this command.


 -alias <alias>                  alias name of the entry to process
 -keyalg <keyalg>                key algorithm name
 -keysize <keysize>              key bit size
 -sigalg <sigalg>                signature algorithm name
 -destalias <destalias>          destination alias
 -dname <dname>                  distinguished name
 -startdate <startdate>          certificate validity start date/time
 -ext <value>                    X.509 extension
 -validity <valDays>             validity number of days
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

Now let see every Option here in detail.
-alias:  Alias name or sudo name should be given while creating any new keystore.  This alias name can be used to find out private or Server certificate or renew Server certificate.

-keyalg:  Key algorithm are used to generate public and private keys and default keyalg is DSA (Digital Signature Algorithm).  We can also use different Key algorithms like RSA (Rivest-Shamir-Adleman), GMR, AE, Cramer-Shoup, DH, ECDH, ECDSA, EdDSA, EKE, SRP, STS, EPOC, HFE, IES and many others.  But most popularly used keyalg is RSA and DSA.

-keysize:  This option defines key bit size.  From JDK 6 onward default keysize would be 1024 bit.

-sigalg:  This option is used to define your signature either SHA1 or SHA2.  If you using default keyalg as DSA then either with JDK 6 or JDK 7 we will get SHA1withDSA, If your keyalg is RSA then in JDK 6 we will see default sigalg as SHA1withRSA where in JDK 7 we will default sigalg SHA256withRSA

-destalias:  This option is used to define your destination store alias name.  If any case you want to convert your Pfx format into JKS then this option is used to define alias name.

-dname: This option is used to define your CN and Org details in sigle steps like -dname ", ou=JavaSoft, o=Sun, c=US"

-startdate: This option is used to define your certificate start valid date and time. 

-ext: Denotes an X.509 certificate extension. The option can be used in -genkeypair and -gencert to embed extensions into the certificate generated, or in -certreq to show what extensions are requested in the certificate request.

-validity:  This option used to define certificate valid period till number of days.

-keypass: Valid key password to access store certificate.

-keystore: Option for define Java keystore

-storepass: Password for Keystore to access.

-storetype: Keystore type default store type is JKS

-providername: Used to identify a cryptographic service provider's name when listed in the security properties file.

-providerclass: Used to specify the name of cryptographic service provider's master class file when the service provider is not listed in the security properties file.

-providerarg: Used in conjunction with -providerClass. Represents an optional string input argument for the constructor of provider_class_name.

-providerpath: specify with path for Provider.

-v: verbose output

-protected: Either true or false. This value should be specified as true if a password must be given via a protected authentication path such as a dedicated PIN reader.  

Let's see how to create simple keystore file with extension .jks.

keytool -genkeypair -keystore PrivateKeystore.jks -alias privatekeystore -storepass followme -keypass followme -keyalg RSA -validity 356 -keysize 2048
What is your first and last name?
What is the name of your organizational unit?
  [Unknown]:  Tech
What is the name of your organization?
  [Unknown]:  Gyan
What is the name of your City or Locality?
  [Unknown]:  SS
What is the name of your State or Province?
  [Unknown]:  LS
What is the two-letter country code for this unit?
  [Unknown]:  US
Is, OU=Tech, O=Gyan, L=SS, ST=LS, C=US correct?
  [no]:  yes

Or you can pass same information in other way

keytool -genkeypair -keystore PrivateKeystore.jks -storepass followme -keypass followme -keyalg RSA -validity 356 -keysize 2048 -dname ", ou=Tech, o=Gyan, c=US"

So we will see a JKS file create with name PrivateKeystore.jks which have store password as followme and keypass as followme and alias name as privatekeystore

Post a Comment