Where is keytool located

Show 1 more comment. Adam Davis Adam Davis 5 5 silver badges 16 16 bronze badges. Mohammed Amine Mohammed Amine 1 1 silver badge 3 3 bronze badges. Asher A Asher A 3 3 bronze badges. CloudArch CloudArch 1 1 silver badge 2 2 bronze badges.

Den Isahac Den Isahac 1, 9 9 silver badges 24 24 bronze badges. The Overflow Blog. Podcast Explaining the semiconductor shortage, and how it might end. Does ES6 make JavaScript frameworks obsolete? Featured on Meta. Now live: A fully responsive profile. Linked 0. Related Hot Network Questions. Question feed. If the destination alias already exists in the destination keystore, then the user is prompted either to overwrite the entry or to create a new entry under a different alias name.

Existing entries are overwritten with the destination alias name. Commands for Generating a Certificate Request. The CA authenticates the certificate requestor usually offline and returns a certificate or certificate chain to replace the existing certificate chain initially a self-signed certificate in the keystore. The private key associated with alias is used to create the PKCS 10 certificate request. To access the private key, the correct password must be provided. If -dname is provided, then it is used as the subject in the CSR.

Otherwise, the X. The -sigalg value specifies the algorithm that should be used to sign the CSR. The CSR is stored in the -file file. If a file is not specified, then the CSR is output to -stdout. Commands for Exporting Data. When a file is not specified, the certificate is output to stdout. By default, the certificate is output in binary encoding. If the -rfc option is specified, then the output in the printable encoding format defined by the Internet RFC Certificate Encoding Standard.

If -alias refers to a trusted certificate, then that certificate is output. Otherwise, -alias refers to a key entry with an associated certificate chain.

In that case, the first certificate in the chain is returned. This certificate authenticates the public key of the entity addressed by -alias.

Commands for Displaying Data. Use the -list command to print the contents of the keystore entry identified by -alias to stdout. If -alias alias is not specified, then the contents of the entire keystore are printed. By default, this command prints the SHA fingerprint of a certificate. If the -v option is specified, then the certificate is printed in human-readable format, with additional information such as the owner, issuer, serial number, and any extensions.

If the -rfc option is specified, then the certificate contents are printed by using the printable encoding format, as defined by the Internet RFC Certificate Encoding Standard. Otherwise, an error is reported. It prints its contents in a human-readable format. If the certificate is read from a file or stdin , then it might be either binary encoded or in printable encoding format, as defined by the RFC Certificate Encoding standard.

The following are the available options for the -printcertreq command:. Use the -printcertreq command to print the contents of a PKCS 10 format certificate request, which can be generated by the keytool -certreq command. The command reads the request from file. If there is no file, then the request is read from the standard input. The CA generates the crl file. Commands for Managing the Keystore.

The following are the available options for the -storepasswd command:. Use the -storepasswd command to change the password used to protect the integrity of the keystore contents. The new password is set by -new arg and must contain at least six characters. The password value must contain at least six characters. Use the -delete command to delete the -alias alias entry from the keystore. When not provided at the command line, the user is prompted for the alias.

The following are the available options for the -changealias command:. Use the -changealias command to move an existing keystore entry from -alias alias to a new -destalias alias.

If a destination alias is not provided, then the command prompts you for one. If the original entry is protected with an entry password, then the password can be supplied with the -keypass option.

If a key password is not provided, then the -storepass if provided is attempted first. If the attempt fails, then the user is prompted for a password. Commands for Displaying Help Information. Common Command Options. The -v option can appear for all commands except --help. When the -v option appears, it signifies verbose mode, which means that more information is provided in the output. The -J option argument can appear for any command. When the -J option is used, the specified option string is passed directly to the Java interpreter.

For a list of possible interpreter options, enter java -h or java -X at the command line. Operates on the cacerts keystore. An error is reported if the -keystore or -storetype option is used with the -cacerts option.

Denotes an X. The option can be used in -genkeypair and -gencert to embed extensions into the generated certificate, or in -certreq to show what extensions are requested in the certificate request. The option can appear multiple times. The value argument, when provided, denotes the argument for the extension. When value is omitted, the default value of the extension or the extension itself requires no argument.

The :critical modifier, when provided, means the extension's isCritical attribute is true ; otherwise, it is false. You can use :c in place of :critical. Note that the input stream from the -keystore option is passed to the KeyStore. For example, when the keystore resides on a hardware token device.

Specify this value as true when a password must be specified by way of a protected authentication path, such as a dedicated PIN reader. Because there are two keystores involved in the -importkeystore command, the following two options, -srcprotected and -destprotected , are provided for the source keystore and the destination keystore respectively. Used with the -addprovider or -providerclass option to represent an optional string input argument for the constructor of class name.

Used to identify a cryptographic service provider's name when listed in the security properties file. Otherwise, the password is retrieved as follows:. Note: All other options that require passwords, such as -keypass , -srckeypass , -destkeypass , -srcstorepass , and -deststorepass , accept the env and file modifiers.

Remember to separate the password option and the modifier with a colon :. The password must be provided to all commands that access the keystore contents. When retrieving information from the keystore, the password is optional. Pre-configured options file. A pre-configured options file is a Java properties file that can be specified with the -conf option. Each property represents the default option s for a keytool command using keytool.

A special property named keytool. If an option value includes white spaces inside, it should be surrounded by quotation marks " or '. All property names must be in lower case. When keytool is launched with a pre-configured options file, the value for keytool. For a single-valued option, this allows the property for a specific command to override the keytool.

For multiple-valued options, all of them will be used by keytool. Examples of Option Values. When generating a certificate or a certificate request, the default signature algorithm -sigalg option is derived from the algorithm of the underlying private key to provide an appropriate level of security strength as follows:. To improve out of the box security, default key size and signature algorithm names are periodically updated to stronger values with each release of the JDK.

If interoperability with older releases of the JDK is important, make sure that the defaults are supported by those releases. Alternatively, you can use the -keysize or -sigalg options to override the default values at your own risk. Supported Named Extensions. The keytool command supports these named extensions. When len is omitted, the resulting value is ca:true. Provided there is no ambiguity, the usage argument can be abbreviated with the first few letters such as dig for digitalSignature or in camel-case style such as dS for digitalSignature or cRLS for cRLSign.

The usage values are case-sensitive. Provided there is no ambiguity, the usage argument can be abbreviated with the first few letters or in camel-case style. Other than standard hexadecimal numbers , a-f, A-F , any extra characters are ignored in the HEX string. Therefore, both and are accepted as identical values. When there is no value, the extension has an empty value field. A special name honored , used only in -gencert , denotes how the extensions included in the certificate request should be honored.

If, besides the -ext honored option, another named or OID -ext option is provided, this extension is added to those already honored. However, if this name or OID also appears in the honored value, then its value and criticality override that in the request. If an extension of the same type is provided multiple times through either a name or an OID, only the last extension is used.

The subjectKeyIdentifier extension is always created. For non-self-signed certificates, the authorityKeyIdentifier is created. Users should be aware that some combinations of extensions and other certificate fields may not conform to the Internet standard. See Certificate Conformance Warning. Examples of Tasks in Creating a keystore. Generating the Key Pair. Requesting a Signed Certificate from a CA.

Importing a Certificate for the CA. Importing the Certificate Reply from the CA. Importing the Keystore. It uses the default DSA key generation algorithm to create the keys; both are bits. The command uses the default SHAwithDSA signature algorithm to create a self-signed certificate that includes the public key and the distinguished name information.

The certificate is valid for days, and is associated with the private key in a keystore entry referred to by -alias business. The private key is assigned the password specified by -keypass. The command is significantly shorter when the option defaults are accepted.

In this case, no options are required, and the defaults are used for unspecified options that have default values. You are prompted for any required values. You could have the following:. In this case, a keystore entry with the alias mykey is created, with a newly generated key pair and a certificate that is valid for 90 days.

This entry is placed in your home directory in a keystore named. You are prompted for the distinguished name information, the keystore password, and the private key password.

The rest of the examples assume that you executed the -genkeypair command without specifying options, and that you responded to the prompts with values equal to those specified in the first -genkeypair command. Generating the key pair created a self-signed certificate; however, a certificate is more likely to be trusted by others when it is signed by a CA.

This creates a CSR for the entity identified by the default alias mykey and puts the request in the file named myname.

The CA authenticates you, the requestor usually offline , and returns a certificate, signed by them, authenticating your public key. In some cases, the CA returns a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.

Before you import the certificate reply from a CA, you need one or more trusted certificates either in your keystore or in the cacerts keystore file. See -importcert in Commands. If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA. If the certificate reply is a single certificate, then you need a certificate for the issuing CA the one that signed it.

The cacerts keystore ships with a set of root certificates issued by the CAs of the Oracle Java Root Certificate program. If you request a signed certificate from a CA, and a certificate authenticating that CA's public key hasn't been added to cacerts , then you must import a certificate from that CA as a trusted certificate.

A certificate from a CA is usually self-signed or signed by another CA. If it is signed by another CA, you need a certificate that authenticates that CA's public key.

For example, you have obtained a X. Before you import it as a trusted certificate, you should ensure that the certificate is valid by:. Viewing it with the keytool -printcert command or the keytool -importcert command without using the -noprompt option.

Make sure that the displayed certificate fingerprints match the expected fingerprints. Calling the person who sent the certificate, and comparing the fingerprints that you see with the ones that they show or that a secure public key repository shows.

Replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA. If you trust that the certificate is valid, then you can add it to your keystore by entering the following command:. This command creates a trusted certificate entry in the keystore from the data in the CA certificate file and assigns the values of the alias to the entry.

After you import a certificate that authenticates the public key of the CA that you submitted your certificate signing request to or there is already such a certificate in the cacerts file , you can import the certificate reply and replace your self-signed certificate with a certificate chain.

Constructed when the CA reply is a single certificate. This certificate chain is constructed by using the certificate reply and trusted certificates available either in the keystore where you import the reply or in the cacerts keystore file.

For example, if you sent your certificate signing request to DigiCert, then you can import their reply by entering the following command:. If you used the jarsigner command to sign a Java Archive JAR file, then clients that use the file will want to authenticate your signature.

One way that clients can authenticate you is by importing your public key certificate into their keystore as a trusted entry. You can then export the certificate and supply it to your clients. Copy your certificate to a file named myname. With the certificate and the signed JAR file, a client can use the jarsigner command to authenticate your signature. Use the importkeystore command to import an entire keystore into another keystore. This imports all entries from the source keystore, including keys and certificates, to the destination keystore with a single command.

You can use this command to import entries from a different type of keystore. During the import, all new entries in the destination keystore will have the same alias names and protection passwords for secret keys and private keys. If it detects alias duplication, then it asks you for a new alias, and you can specify a new alias or simply allow the keytool command to overwrite the existing one.

For example, import entries from a typical JKS type keystore key. The importkeystore command can also be used to import a single entry from a source keystore to a destination keystore.

In this case, besides the options you used in the previous example, you need to specify the alias you want to import. With the -srcalias option specified, you can also specify the destination alias name, protection password for a secret or private key, and the destination protection password you want as follows:. The following are keytool commands used to generate key pairs and certificates for three entities:.

Ensure that you store all the certificates in the same keystore. In the following examples, RSA is the recommended the key algorithm. Keystores can have different types of entries. The two most applicable entry types for the keytool command include the following:. This file is typically located in the following places:. So if you navigate to the directory where the keytool executable is located your command line would look something like this:. You will need to supply pathing information depending on where you run the keytool command from and where your certificate file resides.

Also, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server.