Using Java keytool programmatically

  Pi Ke        2016-01-09 06:28:07       25,170        14         

Java provides a command line tool to access and operate different keystore which store keys and certificates. This tool is named keytool and is located at \bin. 

On command line, you can issue below command to generate a keystore named mytest.jks which contains a private key and certificate chain.

keytool -genkeypair  -alias mykey  -keyalg RSA  -sigalg SHA256withRSA  -dname CN=Java  -storetype JKS  -keypass password  -keystore mytest.jks  -storepass password

Sometimes, in testing purpose, we may want to issue these command in our applications instead of start a command line terminal. This is doable since keytool itself is just a wrapper to some Java classes which do the actual keystore operations. The keytool will inetrnally invoke sun.security.tools.keytool.Main.main() method.

Hence in Java code, we can directly call this method to run the keytool, for example, to generate a keypair in keystore and list the keystore, we can write following code.

public class KeyToolTest {
	public static void main(String[] args){
		generateKeyPair();
		list();
	}
		
		
	// List keystore
	public static void list(){
		String command = " -list "+
						 " -v "+
	                     " -keystore mytest.jks "+
	                     " -storepass password";
		execute(command);
	}
	
	// Generate keypair
	public static void generateKeyPair(){
		String command = " -genkeypair "+
	                     " -alias mykey "+
	                     " -keyalg RSA "+
	                     " -sigalg SHA256withRSA "+
	                     " -dname CN=Java "+
	                     " -storetype JKS "+
	                     " -keypass password "+
	                     " -keystore mytest.jks "+
	                     " -storepass password";
		execute(command);
	}
	
	// Execute the commands
	public static void execute(String command){
		try{
			printCommand(command);
			sun.security.tools.keytool.Main.main(parse(command));
		} catch (Exception ex){
			ex.printStackTrace();
		}
	}
	
	// Parse command
	private static String[] parse(String command){
		String[] options = command.trim().split("\\s+");
		return options;
	}
	
	// Print the command
	private static void printCommand(String command){
		System.out.println(command);
	}
}

The only thing needs to be taken care of is that sun.security.tools.keytool.Main.main() receives a set of options of the command instead of taking a string command.  You can issue other commands as well with above logic.

JAVA  KEYTOOL 

           

  RELATED

  14 COMMENTS

Anonymous
Sep 15, 2016 at 8:31 am
Reply

Unfortunately in Java 8

sun.security.tools.keytool.Main

is not API ..

Ke Pi
Sep 15, 2016 at 9:44 am
Reply

Yes. Because it's a sun.* package which is an internal package and it may not be supported in the future. In Java 8, I think you can still use reflection to do this.

Anonymous
Feb 5, 2018 at 4:18 pm
Reply

Useless post!

Ke Pi
Feb 6, 2018 at 5:27 am
Reply

Really hate this kind of comment. Do no good to anyone. You should give reason or suggestion on the post if you have any problem with it instead of just blindly criticizing something.

Anonymous
Sep 15, 2023 at 9:27 am
Reply

Useless comment

Anonymous
Mar 28, 2018 at 4:13 pm
Reply

Good post , It would be more nice if you can modify on how to add the Organization name , First name Last name Etc ... 

Anonymous
Mar 28, 2018 at 6:15 pm
Reply

Is there any way we can add email except importing a certificate 

Ke Pi
Mar 29, 2018 at 8:49 am
Reply

You mean add organization name to certificate?

Anonymous
Mar 30, 2018 at 8:52 am
Reply

Good post, is there any way to get expiration date of every certificate in the keystore?

Ke Pi
Mar 30, 2018 at 9:36 am
Reply

Keytool itself doesn't provide this capability. Below are two possible solutions for your reference.

  1. Using keytool to list all entries and then use grep command
    keytool -list  -v  -keystore mytest.jks  -storepass password | grep "Valid from"
  2. Do it programatically. Convert the certificate to a X509Certificate and then call the getNotAfter() method
    ((X509Certificate)cert).getNotAfter()

If you want to know how to operate a keystore in Java, you can refer to https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

Anonymous
Jun 26, 2018 at 10:10 pm
Reply

Good Post, It help me much! Is there better way to create CSR in java 8, since java 8 remove the sun.security package?

Ke Pi
Jun 30, 2018 at 6:25 am
Reply

You can refer to this post for creating CSR in Java https://www.pixelstech.net/article/1464167276-Generating-CSR-using-Java

CT
Apr 9, 2019 at 10:54 am
Reply

excellent post, is there a possibility to add the "YES" answer in the params?

 

Anonymous
Mar 15, 2021 at 7:33 am
Reply

The KeyStore Java API can also be used without needing to create a child process via Command. See

https://docs.oracle.com/javase/9/docs/api/java/security/KeyStore.html


  PROGRAMMER HUMOR

What is procedure programming?

After viewing this picture, you should understand what procedure programming is. Want to install air conditioner at higher levels? Give them more ladders.

  SUPPORT US