Key Tool (keytool) Utility

The key tool is a Java development kit utility that allows you to manage a keystore (database) of private keys and their associated X.509 certificates. The keytool utility also manages certificates from trusted entities. This utility is located in <UnwiredPlatform_InstallDir>\UnwiredPlatform\Servers\SQLANywhere11\Sun\JRE160_x86\bin.

keytool enables users to create and manage their own public/private key pairs and associated certificates for use in self-authentication or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.

Syntax

keytool -list | -printcert | -import | -export| -delete | -selfcert | -certreq | -genkey [options]

Parameters

-list – displays the contents of a keystore or keystore entry.
-printcert – displays the contents of a certificate stored in a file. Check this information before importing a certificate as a trusted certificate. Make sure certificate fingerprints as as expected.
-import – imports a certificate to:
1. Add a certificate or certificate chain to the list of trusted certificates, or
2. Import a certificate reply received from a certificate authority (CA) as the result of submitting a certificate signing request (CSR).
The value of the -alias option indicates the type of import you are performing. If the alias exists in the database, then it is assumed you want to import a certificate reply. keytool checks whether the public key in the certificate reply matches the public key stored with the alias, and exits if they do not match. If the alias identifies the other type of keystore entry, the certificate is not imported. If the alias does not exist, it is created, and associated with the imported certificate.
-export – exports a certificate to a file.
-delete – deletes a certificate from the list of trusted certificates.
-selfcert – generates a self-signed certificate. The generated certificate is stored as a single-element certificate chain in the keystore entry identified by the specified alias, where it replaces the existing certificate chain.
-certreq – generates a Certificate Signing Request (CSR), using the PKCS #10 format. A CSR is intended to be sent to a CA, which authenticates the certificate requestor and returns a certificate or certificate chain, used to replace the existing certificate chain in the keystore.
-genkey – generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by <alias>.

[options] – these options are available with the -genkey parameter:

Option	Description
`-keystore <keystoreLocation>`	The name and location of the persistent keystore file for the keystore managed by keytool. If you specify, in the `-keystore` option, a keystore that does not exist, that keystore is created. If you do not specify a `-keystore` option, the default keystore is a file named .keystore in your home directory. If that file does not exist, it is created.
`-storepass <password>`	The password that is used to protect the integrity of the keystore. The password must be at least 6 characters long. It must be provided to all commands that access the keystore contents. For such commands, if a `-storepass` option is not provided at the command line, the user is prompted for it.
`-file <certificateFile>`	The certificate file location.
`-noprompt`	During import, removes interaction with the user.
`-trustcacerts`	When importing a certificate reply, the certificate reply is validated using trusted certificates from the keystore, and using the certificates configured in the cacerts keystore file. This file resides in the JDK security properties directory, java.home\lib\security, where java.home is the runtime environment's directory. The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type.
`-alias <alias>`	The logical name for the certificate you are using.
`-keypass <password>`	The password used to protect the private key of the key pair. If you press enter at the prompt, the key password is set to the same password as for the keystore. `keypass` must be at least 6 characters long.

Examples

Example 1: Viewing the keystore – Display the contents of the keystore:
keytool -list -keystore <filePath>\keystore.jks -storepass <storepass>
Example 2: Importing a certificate reply from a CA – Import a certificate:
keytool -import -file <certificate file> -keystore <filePath>\keystore.jks -storepass <storepass> -noprompt -trustcacerts -alias <alias>
Example 3: Deleting a certificate – Delete a certificate:
keytool -delete -alias <alias> -keystore <filePath>\keystore.jks -storepass <storepass>
Example 4: Generating a key pair – Create a new key entry in a keystore:
keytool -genkey -keystore <filePath>\keystore.jks

The certificate request must be signed by a CA. Alternatively, you can self-sign the certificate by using the -selfcert keytool option.