The keytool command is included with Java, thus you will need to install Java to use the keytool command.

keystore vs. truststore

First and foremost, it's important to recongize the difference between a keystore and a truststore. Let's consider a scenario where a Tomcat application server is being used. There will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database.

Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".

Create keystore

A keystore contains one or more key pairs (private key / public certificate). The first step is to create the private key. In this example, the private key is placed on the web server so that HTTPS can be used. As the name implies, a private key is private, and should never ever be made public.

In this example, a keystore named DefaultKeystore.jks is created, with a single private key with an alias of example.com.

keytool -genkey -alias example.com -keyalg RSA -keystore DefaultKeystore.jks -keysize 2048

In this example, a PKCS12 keystore is created.

keytool -genkey -alias example.com -keyalg RSA -keystore DefaultKeystore.p12 -keysize 2048 -storetype PKCS12

Notice that by default, a private key must be created in the new keystore file. If you want an empty keystore, you can remove the private key that was created,

keytool -keystore DefaultKeystore.p12 -storetype PKCS12 -storepass itsasecret -delete -alias example.com