FreeKB - Java Keystore keytool command (Create a keystore or truststore)
Java Keystore - keytool command (Create a keystore or truststore)

The keytool command is included with Java, thus you will need to install Java to use the keytool command.


keystore vs. truststore

First and foremost, it's important to recongize the difference between a keystore and a truststore. Let's consider a scenario where a Tomcat application server is being used. There will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database.


Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".


Create keystore

A keystore contains one or more key pairs (private key / public certificate). The first step is to create the private key. In this example, the private key is placed on the web server so that HTTPS can be used. As the name implies, a private key is private, and should never ever be made public.


In this example, a keystore named DefaultKeystore.jks is created, with a single private key with an alias of

keytool -genkey -alias -keyalg RSA -keystore DefaultKeystore.jks -keysize 2048


In this example, a PKCS12 keystore is created.

keytool -genkey -alias -keyalg RSA -keystore DefaultKeystore.p12 -keysize 2048 -storetype PKCS12


Notice that by default, a private key must be created in the new keystore file. If you want an empty keystore, you can remove the private key that was created,

keytool -keystore DefaultKeystore.p12 -storetype PKCS12 -storepass itsasecret -delete -alias

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 67484 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |