Keytool For Certificate Management

Keytool for Certificate Management – Syntax and Examples


The keytool utility is shipped with all releases of Java and is available in both the JRE and the JDK. We use the keytool command for managing certificates, and to store them in a keystore. The keytool command allows us to manage self-signed certificates, and to show information about the keystore. In this article, we explain how to use the keytool for certificate management, with some practical examples.

In the following sections, we explore the different commands we can use for various operations with the Keytool command.

Table of contents:

Basic Commands using the keytool for certificate management

Let’s first look at some of the most common and basic commands you’d use for managing certificates with the keytool command.

A typical keytool command is structured like this:

keytool -<command> -<options> -<arguments>
  • <command> is the specific operation you want to execute, such as -list or -genkeypair
  • <options> are the additional settings or options you need to pass with the command
  • <arguments> are the additional information you need to pass to the command for its execution, such as the file name, the keystore path etc.

Example command:

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias socketdaddykey

View certificates in a keystore

We can use the -list command to display the contents of the keystore entry identified by -alias on the standard output. If -alias alias is not provided, the entire keystore’s contents are printed.


keytool -list -keystore socketdaddy_keystore.jks

The command above lists all the certificates stored in the keystore socketdaddy_keystore.jks in detail. It also provides details such as alias, creation date, entry type, and the certificate chain.

Additionally, if you want to look for a specific certificate with its alias and print more details, you must pass the -alias and the -v options.


keytool -list -v -keystore socketdaddy_keystore.jks -alias socketdaddy

This command prints the details of the certificate with the alias socketdaddy in the socketdaddy_keystore.jks keystore file. The output of this command will be something like this:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: socketdaddy
Creation date: Dec 15, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=SocketDaddy, OU=IT, O=SocketDaddy Pvt Ltd, L=Bengaluru, ST=KA, C=IN
Issuer: CN=SocketDaddy, OU=IT, O=SocketDaddy Pvt Ltd, L=Bengaluru, ST=KA, C=IN
Serial number: 4a1a8451
Valid from: Tue Dec 15 00:00:00 UTC 2023 until: Fri Dec 15 23:59:59 UTC 2023
Certificate fingerprints:
	 MD5:  3E:4F:8D:7A:1B:53:48:F9:10:4E:89:21:11:32:4A:2E
	 SHA1: B8:8A:1F:9F:C2:4C:58:34:6D:10:9A:2E:84:37:78:DB:91:5E:8C:FB
	 SHA256: 43:68:5D:6E:45:8C:AA:94:16:8B:42:8E:F7:31:2E:1C:72:2A:CD:10:AB:CE:7E:3C:1F:2A:18:F7:51:9A:64
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3


#1: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E 1A F4 17 78 C9 62 09   51 95 C5 33 97 64 D6 62  N...x.b.Q..3.d.b

#2: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 1A F4 17 78 C9 62 09   51 95 C5 33 97 64 D6 62  N...x.b.Q..3.d.b


Leave a Reply

Your email address will not be published. Required fields are marked *