Category Archives: Keytool and OpenSSL

Commonly used Keytool / Open SSL Commands

Generate Keystore

keytool -genkey -alias -keyalg RSA -sigalg SHA512withRSA -keysize 2048 -keystore keystore_name.jks


Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:  First Name

What is the name of your organizational unit?

[Unknown]:  Organisation Name

What is the name of your organization?

[Unknown]:  Company Name

What is the name of your City or Locality?


What is the name of your State or Province?


What is the two-letter country code for this unit?

[Unknown]:  GB

Is above details correct?

[no]:  yes

Generate CSR

keytool -certreq –alias  -file cert_request.csr -keystore keystore_name.jks

Import the Root CA Certificate:

keytool -importcert -keystore keystore_name.jks -alias “CA Root” -file ROOT_CA_Cert.crt

Import the Signed server certificate into the keystore

keytool -importcert -keystore keystore_name.jks -keyalg “RSA” -trustcacerts -file destinateion_cert.crt -alias

Test the keystore to see if the certificates are imported correctly

This should produce 2 lines, one with “keyEntry” for the signed server certificate imported and the second for the CA certificate imported.

keytool -v -list -keystore keystore_name.jks

Enter keystore password:

The certificate listing would follow…

Convert the jks to p12 format

keytool -importkeystore -srckeystore source_keystore.jks -srcstoretype jks -srcstorepass changeme -srcalias changeme -destkeystore destination_cert_type.p12 -deststoretype pkcs12 -deststorepass changeme -destalias -destkeypass changeme

Extract the key from the p12 format keystore

openssl pkcs12 -in destination_cert_type.p12 -passin pass:changeme -nocerts -out destination_cert_type.pem -des -passout pass:changeme

Remove the need for the password

openssl rsa -in destination_cert_type.pem -passin pass:changeme -out no_password_certificate.crt

Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

OpenSSL to find out the certicate encryption algorithm type

openssl s_client -connect url:port< /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep -e “Signature Algorithm”|head -1