develop with

How to use certs with Java keystore

Using certs and migrating certs from different version and debugging with keytool.

When you install the Java JDK or JRE it comes with a utility called keytool which manages the certificates and keys that the JVM can see and use. Using certs in java can be a hassle, but once you know some of the basic commands to explore truststores and keystores with keytool it makes it that much easier.

If you want to see the details of a stand alone cert:

keytool -printcert -v -file mydomain.crt

To list the certificates in the Java keystore:

keytool -list -v -keystore keystore.jks

Check to see if a keystore entry is available for an alias:

keytool -list -v -keystore keystore.jks -alias myalias

When you upgrade your JVM, you might not have all the keys available in the new version. In order, to deal with this there are a couple commands you can use to migrate the keys to the new version of the JVM.

keytool -keystore <OldJDK>/jre/lib/security/cacerts -alias myalias -export -file <NewJDK>/jre/lib/security/myalias.cert
keytool -keystore <NewJDK>/jre/lib/security/cacerts -alias myalias -import -file <NewJDK>/jre/lib/security/myalias.cert
rm <NewJDK>/jre/lib/security/myalias.cert

When using sdkman on OS X, you can get the path of the jvm with java_home command. That is specific to the mac and not available on other operation systems.

Example with move the cert files with java 1.8 and sdkman:

keytool -keystore $(/usr/libexec/java_home -v 1.8)/jre/lib/security/cacerts -alias export_file -export -file ~/.sdkman/candidates/java/current/lib/security/cacerts/export_file.cert

keytool -keystore ~/.sdkman/candidates/java/current/lib/security/cacerts -alias export_file -import -file ~/.sdkman/candidates/java/current/lib/security/cacerts/export_file.cert

rm ~/.sdkman/candidates/java/current/lib/security/cacerts/export_file.cert

Hope this helps you determine what is going on with your environment. Let me know if you have any other ideas on how to debug certs with the keytool below in the comments.

Other references to explore: * The Most Common Java Keytool Keystore Commands - SSL Shopper * Migrating keys across versions

comments powered by Disqus

Want to see a topic covered? create a suggestion

Get more developer references and books in the developwith store.