InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.3: Understanding how the Keytool utility works >
5.5.6.3.5: Options used with the keytool command

5.5.6.3.5: Options used with the keytool command

Administrators use the Keytool utility to perform tasks that apply the keystore database or to the keystore entries: key pairs and trusted certificates. Administering a keystore database discusses the tasks that apply to the keystore database; Administering key pair entries discusses tasks that apply to key pair entries; Administering trusted certificates discusses tasks that apply to trusted certificate entries, and Administering both certificate and key pair entries discusses the tasks that are common to both entry types. Understanding how the Keytool utility works provides conceptual information about the Keytool utility. This article provides reference information about the options that are used with the keytool command.

Table 1 lists the options that can be combined with the keytool command. The columns provide the following information:

  • Options-- Specifies the option that can be combined with the keytool command

  • Function--Briefly describes the administrative task accomplished by the option

  • Values--Lists valid data entries for the option

  • Components--Identifies the Keytool components (keystore, key pair entries, trusted certificate entries) with which the option can be used

  • Use--Provides additional information about using the option

Table 1. Options used with the keytool utility

Option Function Values Components Use
-alias Assigns an identity to a keystore entry User supplied

  • Key pair entries

  • Trusted certificate entries

  • Case insensitive

  • mykey (Default)

-certreq Generates a certificate signing request Requires a -file option supplying the .csr file name

  • Key pair entries

Submitted to a certificate authority
-delete Removes an entry from the keystore Requires a -alias option to identify the entry

  • Key pair entries

  • Trusted certificate entries

  • Keystores

Case insensitive
-dest Identifies the destination alias for a cloned entry User supplied

  • Key pair entries

  • Trusted certificate entries


-dname Assigns an X.500 Distinguished Name to an entry User supplied

  • Key pair entries

  • Trusted certificate entries

  • Order of subcomponents matters

  • Inclusion of subcomponents is optional

-export Outputs a certificate in binary code Requires a -file option to supply the output file

  • Key pair entries

  • Trusted certificate entries


-file name Identifies files to be used for import or export User supplied

  • Input: an identity database

  • Input: a certificate reply from a certificate authority

  • Output: certificate signing request

  • Key pair entries

  • Trusted certificate entries

  • Keystores

  • Standard input (default for reads)

  • Standard output (default for writes)

-genkey

  • Creates a new key pair entry

  • Creates a keystore, if none exists

User supplied

  • Key pair entries


-help Displays help for the Keytool utility

Issuing the keytool command with no options also displays help
-identitydb Migrates an identity database to a keystore database Requires the -file option to supply the identity database name

  • Keystores

Only trusted entries are imported
-import Brings the contents of a file into the keystore Requires the -file option to identify the file source

  • Trusted certificate entries

Automatically invokes the -printcert option (unless the -noprompt option is included)
-J command Passes a Java command to the interpreter


-keyalg Signifies the algorithm to be used for key pair creation

  • DSA (default)

  • RSA

  • Key pair entries

  • Trusted certificate entries

Entry for this option determines the value for the -sigalg option
-keysize Specifies a key size Requires a value in multiples of 64 bits

  • Key pair entries

  • Trusted certificate entries

  • 1024 bits (default)

  • Range is from 512 to 1024 bits

-keypass Assigns a password to a key pair User supplied

  • Key pair entries

  • Trusted certificate entries

Case insensitive
-keystore Customizes the name and location of a keystore User supplied

  • Key pair entries

  • Trusted certificate entries

  • Keystores

The -genkey, -import, or -identitydb options create a keystore if none exists
-keypasswd Changes a password for a keystore entry User supplied

  • Key pair entries

  • Trusted certificate entries

Case insensitive
-keyclone Clones a key store entry Requires a -dest option to identify the destination alias

  • Key pair entries

  • Trusted certificate entries


-list

  • Display an entry if an alias is supplied

  • Display the contents of a keystore if no alias is supplied


  • Key pair entries

  • Trusted certificate entries

  • Keystores

MD5 fingerprint (default)
-new Identifies the new password User supplied

  • Key pair entries

  • Trusted certificate entries

  • Keystores

Combined with the -keypasswd and -storepasswd options
-noprompt Indicates that no prompts are to be issued during an import operation

  • Trusted certificate entries

Suppresses the default -printcert option associated with a -import option
-printcert Prints a certificate fingerprint

  • Trusted certificate entries

Binary code format (default)
-rfc Converts output display to printable encoding format Combined with the -printcert and -list options

  • Trusted certificate entries

Uses Internet RFC 1421 standard
-selfcert Generates a new self-signed certificate

  • If -dname option is supplied, issuer and subject take the X.500 Distinguished Name

  • If no -dname option is supplied, issuer and subject take X.500 Distinguished Name of alias

  • Key pair entries

  • Trusted certificate entries

  • Output: X.509 v1 self-signed certificate

-sigalg Specifies the algorithm to be used to sign the certificate

  • SHA1withDSA

  • MD5withRSA

  • Key pair entries

  • Trusted certificate entries

Correlates with the value for the -keyalg option
-storetype Assigns a type to a keystore or an entry into a keystore A Service Provider Interface format

  • Key pair entries

  • Trusted certificate entries

  • Keystores

  • JKS (Default)

  • Case insensitive

-storepass Assigns a password to a keystore User supplied
Case insensitive
-trustcacerts Indicates that the certificate is to be considered for inclusion in the list of trusted certificates (the cacerts file)

  • Trusted certificate entries


-v Designates verbose output


-validity Identifies an expiration period

  • Key pair entries

  • Trusted certificate entries

90 days (default)
Go to previous article: Administering both certificate and key pair entries Go to next article: SSL-LDAP setup

 

 
Go to previous article: Administering both certificate and key pair entries Go to next article: SSL-LDAP setup