InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.3: Understanding how the Keytool utility works >
5.5.6.3.4: Administering both certificate and key pair entries

5.5.6.3.4: Administering both certificate and key pair entries

Administrators use the Keytool utility to perform tasks that apply to the keystore database or to the keystore entries: key pairs and trusted certificates. Administering a keystore database discusses the tasks that apply to the keystore database; Administering key pair entries discusses tasks that apply to key pair entries, and Administering trusted certificates discusses the tasks that apply to trusted certificate entries. Understanding how the Keytool utility works provides conceptual information about the Keytool utility and Options used with the keytool command provides reference information for the options used with the keytool command. This article discusses the administrative tasks that apply both keystore entry types and covers the following topics:


Assigning an alias

All keystore entries, whether key pair entries or trusted certificate entries, are identified by a unique alias. The alias is assigned to the entry when you generate a new public-private key pair (-genkey option), when you import a certificate to the list of trusted certificates (-import option), or when you migrate an identity database (-identitydb option).

Subsequent keytool commands use the alias to identify the entry on which the operation is to be performed.


Deleting a keystore entry

To delete a keystore entry, identify the entry by its alias and issue the keytool command in combination with the -delete option. For example:

keytool -alias fred -delete

This command removes the entry associated with the alias fred from the keystore.


Setting an expiration period

The default expiration period for a keystore entry is 90 days. To change this value, identify the entry by its alias and issue the keytool command in combination with the -validity option. For example:

keytool -alias sally -validity 180

In addition, when the entry is initially created, the expiration period can be changed by using the keytool command with a -genkey, -import, or -identitydb option and adding the -validity option.


Changing a password for a keystore entry

To change the password associated with an keystore entry, issue the keytool command in combination with the -keypasswd option for an entry, which is identified by its alias. For example:

keytool -keypasswd  -alias sally oldpassword -new newpassword

This command changes the password for the entry identified as sally from oldpassword to newpassword. A prompt is issued for the existing password associated with the specified alias, if no password is supplied with the command.

See Changing the password for a keystore for information on changing the password for the keystore database.

Go to previous article: Administering trusted certificates Go to next article: Options used with the keytool command

 

 
Go to previous article: Administering trusted certificates Go to next article: Options used with the keytool command