Mastering keytool on CentOS 7: Generate Keystores, CSRs, and Manage Certificates

keytool is a security utility bundled with the Java Development Kit (JDK) for managing keys and certificates. The following examples demonstrate its basic usage on CentOS 7.

Generate a keystore and key pair

Use the command below to create a new keystore file mykeystore.jks and a key pair named mykey with the RSA algorithm (2048‑bit) that is valid for 365 days.

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore mykeystore.jks -validity 365

Generate a Certificate Signing Request (CSR)

When a certificate from a Certificate Authority (CA) is required, generate a CSR from the existing keystore entry:

keytool -certreq -alias mykey -file mycsr.csr -keystore mykeystore.jks

Import a certificate or certificate chain

After obtaining a signed certificate (e.g., mycertificate.crt), import it into the keystore and associate it with the alias:

keytool -importcert -alias mykey -file mycertificate.crt -keystore mykeystore.jks

List keystore contents

To view all entries stored in the keystore:

keytool -list -keystore mykeystore.jks

Export a certificate

Export the certificate linked to an alias to a file for distribution or further use:

keytool -exportcert -alias mykey -file mycertificate.crt -keystore mykeystore.jks

These commands cover the essential operations developers need when handling SSL/TLS certificates or interacting with Java applications on Linux.