Understanding java keytool, working with .crt files, fixing certificate problems

By neokrates, written on June 8, 2010


  • Join date: 11-30-99
  • Posts: 224
View Counter:
Rate it
  • Your skill as shell programmer is?

    View Results

    Loading ... Loading ...
  • bodytext bodytext bodytext

Java keytool can be used for https connections, to allow access only to authorized clients. Any tool or java code can use an installed certificate to connect to the server.

❓ How Java keytool works

Maybe you want to make your server publicly accessible, but restricted to particular team or organization.
Or you build an infrastructure of your enterprise and want it to be secure. In such situation you will need a method to control, who can use particular service.
Such resource should be protected from unauthorized usage, channel between server and authorized client must be secure.

Java keytool allows to certify given java client for work with particular server over https. That is an established and easy to use java standard.

To be certified to use particular service, client should do the following:

✔ get the certificate which server expects(.crt file). Probably admin can provide you with it;

✔ add it to your keyring using:

keytool -import


✔ check with the manual of the client tool you use for details of configuration, if there is any.


Adding certificate to the keystore


⭐ my.cert.location/my.cert.crt – certificate to be installed

⭐ “changeit” – default keystore path (if you didn’t set it, its java default)

⭐ default java keystore location – $JAVA_HOME/jre/lib/security/cacerts

Following will add the certificate to the default java keyring:

keytool -import -file my.cert.location/my.cert.crt -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1


💡 Answer ‘yes’ when prompted.


Listing certificates in the keystore

This will list the certificates in the keystore:

keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts

Output is something like:

mycert1, May 10, 2010, trustedCertEntry,Certificate fingerprint (MD5):
verisigntsaca, Aug 13, 2008, trustedCertEntry,Certificate fingerprint (MD5):
baltimorecodesigningca, May 10, 2002, trustedCertEntry,Certificate fingerprint (MD5):

Important part is the alias which certificate has. You can import and export certificates using alias.

💡 In the keytore, unique identification or name of the certificate is called alias

To determine if the certificate with alias mykey1is there, use:

  keytool -list -storepass changeit -keystore /opt/java/jre/lib/security/cacerts |grep mykey1 -A1


💡 It will list all what keyring has about the certificate.

Following problem might occur if server doesn’t find the certificate it expects:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Given one client which works and one which cannot connect to the server, you can do the following to fix the problem:

⭐ Compare MD5 Sums of same certificate from both servers

⭐ Check that the same certificates are installed (nothing missing)

⭐ Import missing certificates from the working server

⭐ Print the certificate content to learn more about it


Exporting the certificate from the keystore


keytool -exportcert -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 > my.cert.location/my.cert.1.crt


The my.cert.1.crt can be then re-imported into another keyring.


Learning more about the certificate


💡 REMARK: we use the same certificate we have exported in the chapter above.

To learn about the owner, organization, etc. who has issued the certificate, following command can be used

keytool -printcert -file mycert.crt



Removing the certificate from the keystore


keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1


Non-interactive mode (suppress keytool questions)

That is useful in bash scripts. Use the -noprompt option:

keytool -delete -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -alias mycert1 -noprompt


That’s it, have fun :)

Be Sociable, Share!
Does that help to solve your problem?
VN:F [1.8.5_1061]
Rating: +7 (from 7 votes)
7 votes 'YES'  0 votes 'NO'


Be Sociable, Share!


2 Responses to “Understanding java keytool, working with .crt files, fixing certificate problems”

  1. John says:

    Exactly what I was looking for … thanks!

Leave a Reply