Important JVM options in order to work with key- and truststores.

Enable DEBUG for diagnosis SSL handshake


Pass custom keystore or truststore


Download certificate

echo -n | openssl s_client -connect cinhtau.net:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.pem

Viewing Keystore Entries

This section covers listing the contents of a Java Keystore.

List Keys

This command lists the SHA fingerprints of all of the certificates in the keystore, in this case the default Java truststore.

keytool -list \
    -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

List keys from custom keystore

keytool -list \
    -keystore "C:/dev/src/strechy-elastic-rest-client/src/main/resources/truststore.jks"

If you don’t want to type the password use storepass to omit password.

keytool -list -keystore keystore.jks -storepass changeMe

List Verbose Keystore Contents

keytool -list \
    -keystore keystore.jks

View Certificate Information

This command prints verbose information about a certificate file.

keytool -printcert \
        -file ca.crt

Create Keystore

If the keystore doesn’t exist, a new keystore is created.

keytool -import \
    -alias elasticCA \
    -file C:\TEMP\ca.crt \
    -keystore truststore.jks

Generate Keys

keytool -genkeypair \
        -alias cinhtau \
        -keyalg RSA \
        -keystore keystore.jks

Generate CSR For Existing Private Key

keytool -certreq \
        -alias cinhtau \
        -file cinhtau.csr \
        -keystore keystore.jks

Modifying Keystore

This section covers the modification of Java Keystore entries.

Import Certificate

Import another certificate into existing keystore.

keytool -import \
    -alias taft_point \
    -file C:\TEMP\elasticsearch-host.pem \
    -keystore truststore.jks

Example on Windows.

keytool -import -file C:\TEMP\ca.crt -alias elasticCA -keystore truststore.jks
Enter keystore password:
Re-enter new password:
Owner: CN=Elastic Certificate Tool Autogenerated CA
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d5a6359b11aac3cc52fdebe29743e331badb7ad9
Valid from: Wed Nov 29 13:49:32 CET 2017 until: Sat Nov 28 13:49:32 CET 2020
Certificate fingerprints:
         MD5:  28:5D:1D:C5:9A:10:9D:AD:65:47:81:13:1D:35:94:DE
         SHA1: 0A:4B:20:C3:4D:57:F6:B1:96:14:4B:58:C3:28:65:68:6D:4C:F0:37
         SHA256: EC:2A:B3:1C:24:39:C7:A7:99:CC:21:32:B9:C5:A7:AE:7E:5C:F3:10:3C:AD:11:69:97:C5:43:3B:99:39:63:F9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3


#1: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AB 53 74 D8 FC D7 99 5B   FE 77 23 7F 26 81 24 26  .St....[.w#.&.$&
0010: 89 12 DF 50                                        ...P
[CN=Elastic Certificate Tool Autogenerated CA]
SerialNumber: [    d5a6359b 11aac3cc 52fdebe2 9743e331 badb7ad9]

#2: ObjectId: Criticality=true

#3: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB 53 74 D8 FC D7 99 5B   FE 77 23 7F 26 81 24 26  .St....[.w#.&.$&
0010: 89 12 DF 50                                        ...P

Trust this certificate? [no]:  yes
Certificate was added to keystore

Another alternative is the importcert option:

keytool -importcert \
    -keystore watcher-truststore.jks \
    -alias test \
    -file /srv/nas/kibana/test/ssl/cert.pem
keytool -importcert \
    -keystore watcher-truststore.jks \
    -alias prod \
    -file /srv/nas/kibana/prod/ssl/cert.pem

Export Certificate

Export a binary DER-encoded certificate, that is associated with the alias cinhtau, in the truststore:

keytool -exportcert \
        -alias cinhtau \ 
        -file cinhtau.der \
        -keystore truststore.jks

Delete Certificate

To delete a certificate, use the alias.

keytool -delete \
        -alias cinhtau_2017 \
        -keystore keystore.jks

Rename Alias

keytool -changealias \
        -alias domain \
        -destalias newdomain \
        -keystore keystore.jks

Change Keystore Password

keytool -storepasswd \
        -keystore keystore.jks

Convert Keystore

If you get a warning like this:

Warning: The JKS keystore uses a proprietary format.
It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore old-keystore.jks -destkeystore new-keystore.jks -deststoretype pkcs12".

Template with password

keytool -importkeystore -srckeystore vip-qa-sca-vm.jks.new -srcstorepass oldMapper \
        -destkeystore vip-qa-sca-vm.jks -deststoretype pkcs12 -deststorepass newMapper
Importing keystore vip-qa-sca-vm.jks.new to vip-qa-sca-vm.jks...
Entry for alias tomcat successfully imported.
Entry for alias tomcat_new successfully imported.
Import command completed:  2 entries successfully imported, 0 entries failed or cancelled