keytool.exe : Java Glossary

The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees… CurrCon requires an up-to-date browser and Java version 1.8, preferably 1.8.0_121. If you can’t see the prices in your local currency, Troubleshoot. Use Firefox for best results.

Java version 1.4 or later tool for creating phony self-signed certificates and managing imported certificates for Sun-style Applet signing and Java Web Start.

The code signing certificates Sun uses are usually X.509/DER binary format, with the extension *.cer. Sometimes they are in X.509/DER BASE64 encoded printable ASCII (American Standard Code for Information Interchange) format, also with the extension *.cer. These certificates don’t contain the private key. When certificates are stored in .keystore certificate collections, they do contain the private key.

To use keytool.exe make sure you are running as administrator, or you won’t be able to access cacerts..
Files Other Useful keytool Commands
KeyStore formats Exporting Private Keys
Generating a Real Certificate Passwords
Generating a Phony Certificate Backups
Creating .keystore Learning More
Updating Root Certificates Links


.keystore contains your code signing certificates.
See the .keystore location entry for where to find your .keystore file.
You may have multiple .keystore files. When running keytool.exe, set the current working directory to the directory where .keystore is so that keytool.exe will know which .keystore you want. Each certificate contains both a private and public key. It may also contain authority certificates that contain only a public key. When you create a .keystore file, you assign it a password.

J:\Program Files\java\jdk1.8.0_121\jre\lib\security\cacerts. contains your authority certificates. Each certificate contains only a public key. There is only one cacerts. file. It comes preloaded with the JRE/JDK with root signing authority certificates from Verisign and Thawte. It comes by default with password changeit (changeme on the Mac).

Keystore Formats

Usually the .keystore file is stored in Sun JKS (Java Key Store) format, but keytool.exe is capable of dealing with other formats as well. Here is how to find out what other formats are supported on your 

Generating a Real Certificate

If you want to buy a real certificate, you first use the -genkey option to generate a private/public key pair in your .keystore file. This can take a while. Don’t panic. Then you export the public key as a PKCS#10 certificate request and send it to the certificate authority. To be precise, if you want to buy a certificate from Thawte (who support  Put these commands in a BAT (Batch) file. It is almost impossible to type them correctly from the command line because they are so long. CN must be a valid domain name, not your first and last name! OU is usually your department, but you could use it for your personal name. O is your organisation. L is your location/city. See the list of C=country codes, S=state codes and S=province codes. Whatever you put in here, you are asking the signing authority to attest to, so don’t put in anything they can’t easily verify.

Make a backup of your .keystore file. See the .keystore entry for where to find it. These have a habit of mysteriously corrupting themselves. If you lose it, you lose your private key and your certificate will become worthless.

For a $200.00 USD fee, Thawte will sign your certificate request with their private key and send it back to you in either X.509/DER or preferably the more advanced PKCS (Public-Key Cryptography Standards) #7 format which includes certificate chains. You then import that certificate into your .keystore file and you can then use it for signing your code. To import

REM import purchased code-signing cert into cacerts
REM Prior to Java 1.6 use -import instead of -importcert
keytool -importcert -alias pluginsigner -trustcacerts -file cert.cer

REM import purchased code-signing cert into the user directory .keystore
keytool -importcert  -alias pluginsigner -file cert.cer
You don’t import it into your cacerts.. This a code-signing certificate, not an authority certificate. The root Thawte certificate that comes preloaded in your cacerts. file is your authority certificate.

Note, you never tell the certificate authority your private key. The certificate request and the certificate they send back do not contain the private key and hence are useless to anyone who does not have access to your private key.

Generating a Phony Certificate

If you want to create a phony self-signed certificate, the first steps are the similar except you must use the -selfcert option and export the finished PKCS#7 certificate. Basically, you set yourself up as a miniature certificate signing authority. To be precise: phony is the alias for your cert. That is not a particularly auspicious name. See the jar essay where I talk about phony.dsa. You would be better to choose something dignified that hinted at your company name.

Since your clients have never heard of your miniature signing authority, you might try loading the phonycert.p7b into each browser who will use your code as if it were a signing authority. Even after you do that, your code still won’t work because Sun Plug-in looks in the policy. and .keystore files on each client machine to decide if it will let code run. You must update all those client .keystore files with your cert so they would work too.

Creating .keystore

Now you can finally sign your code with jarsigner and have your clients run it. A .keystore file is automatically created whenever you use a -genkey, -import, or -identitydb command to add data to a .keystore that doesn’t yet exist. If you want to create one programmatically 
// accessing a keystore in Java
KeyStore ks = KeyStore.getInstance( "JCEKS", "SunJCE" );

Updating Root Certificates

If your cacerts. file is missing the root signing authority certificate, your purchased cert will behave like a phony-self-signed cert. See certificate for how to get the missing root certificates. Import them into all your cacerts. files with 

Here are places to look for your cacerts. files:
C:\Program Files\java\jre1.8.0_121\lib\security\cacerts.
C:\Program Files (x86)\java\jre1.8.0_121\lib\security\cacerts.
"J:\Program Files (x86)\JetBrains\IntelliJ IDEA 2017.1\jre\jre\lib\security\cacerts."

Other Useful keytool Commands

If you screw up, you can start over by deleting your .keystore file, or by deleting the offending entries. Make sure you never delete the private key for one of your paid certificates though!

You can tell if a certificate includes a private key by the way keytool lists it. Signing certificates with private keys will be marked keyEntry. Authority certificates without private keys will be marked trustedCertEntry.

Keytool, however, will not tell you if a certificate is DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir and Adelman) and how many bits it is. You can determine that with IBM (International Business Machines) ’s keyman. It is best then to choose names of aliases and certificate files e.g. mindprod2006dsa.cer that will help you remember.

Exporting Private Keys

Keytool will generate a private key, but won’t import or export one. This is why you can’t easily convert a Sun code signing certificate to a Netscape code signing certificate or vice versa. Mitch Gallant has found a way around this that uses the BouncyCastle classes, but it is no longer available.

You must plan ahead and generate your private key in the .keystore where you want to it to finally reside. People not understanding the process so often lose the original private key, or find they can’t move it to where it is needed. This applies even more so to SSL (Secure Sockets Layer) certificates.

Understand the process!


Both the .keystore and cacerts. file are password protected. The cacerts. password by default is changeit (changeme on the Mac), which, surprise, you are supposed to change. .keystore by default has no password.

There are also optional additional password protections on each individual item in the store. Passwords are case-sensitive and must be at least 6 letters long. Best to include some digits to make them harder to guess. Putting punctuation in them will make it difficult to use them on the command line.



You need to keep backups of all your key files since the signing authorities won’t replace your certs if you lose your private key. Use a tool like tcc/TakeCommand DESCRIBE to label all your files. There are many formats and keytool can only read some of them. Many are binary formats so peeking with a text editor won’t help either. You will soon become hopelessly confused about what is what if you don’t meticulously label them all.

Learning More

Oracle’s Javadoc on KeyStore class : available:
keyman: IBM’s more user-friendly keystore manipulator
KeyTool IUI: third party GUI version of keytool
self-signed certificates
signed Applets

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number