Java
Useful Java Keystore Commands
Posted by Rafael Lopes on .Do you need a hand to change Java ssl certificates? You came to the right place!
In case of ssl certificate change, before we handle the certificates we need to know their aliases. The command below gives us all the informations about the installed certificates on the server, than pipe it to less, so as we can do searches. The delimiter of this file is two lines with *
character on it. Seek for the certificate you want to remove, and take note of its alias.
List existing certificates
$JAVA_HOME/bin/keytool -list -destkeystore $JAVA_HOME/jre/lib/security/cacerts -v |less
Now that we have the old certificate, let´s discover what is the alias from the new certificate, in case of a .pfx
, this command can help you out:
openssl pkcs12 -info -in Your_Certificate.pfx
The alias is a.k.a. friendlyName. This command is always useful, since shows you the information of any standalone certificate.
Installing new certificate
Now that we have both aliases in hands, let´s install the new certificate. To install a new one, you can use the command below, the alias must be contained on the command, otherwise it won´t work.
$JAVA_HOME/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore $JAVA_HOME/jre/lib/security/cacerts -srckeystore ./Your_Certificate.pfx -srcstoretype PKCS12 -alias <the certificate alias here>
You can list the server certificates again in order to check if it has been succesfully installed:
$JAVA_HOME/bin/keytool -list -destkeystore $JAVA_HOME/jre/lib/security/cacerts -v |less
Removing old certificates
$JAVA_HOME/bin/keytool -delete -destkeystore $JAVA_HOME/jre/lib/security/cacerts -alias <the alias you want to remove>
That´s all, isn´t it easy?
Hints and tips:
- The default password for the Tomcat Keychain is
changeit
, if you don´t know your keystore password, try this one; - If your certificate does not have a passphrase, just press enter when asked for a passphrase;
- You may need to reload Tomcat to the changes make effects, use the commands below to do that gracefully:
/usr/tomcat/apache-tomcat-7.0.21/bin/shutdown.sh
/usr/tomcat/apache-tomcat-7.0.21/bin/startup.sh
- If the shell variable
$JAVA_HOME
doesn´t exist, you can use/usr/java/jdkX.X.X instead
.

Rafael Lopes (?)
Tech-lover, also loves photography and curiosity. AWS Cloud Ninja. What I enjoy? Learn from unknown internet blogs like this one.