Option
| Function
| Values
| Components
| Use
|
-alias
| Assigns an identity to a keystore entry
| User supplied
|
- Key pair entries
- Trusted certificate entries
|
- Case insensitive
- mykey (Default)
|
-certreq
| Generates a certificate signing request
| Requires a -file option supplying the .csr file name
|
| Submitted to a certificate authority
|
-delete
| Removes an entry from the keystore
| Requires a -alias option to identify the entry
|
- Key pair entries
- Trusted certificate entries
- Keystores
| Case insensitive
|
-dest
| Identifies the destination alias for a cloned entry
| User supplied
|
- Key pair entries
- Trusted certificate entries
|
|
-dname
| Assigns an X.500 Distinguished Name to an entry
| User supplied
|
- Key pair entries
- Trusted certificate entries
|
- Order of subcomponents matters
- Inclusion of subcomponents is optional
|
-export
| Outputs a certificate in binary code
| Requires a -file option to supply the output file
|
- Key pair entries
- Trusted certificate entries
|
|
-file name
| Identifies files to be used for import or export
| User supplied
- Input: an identity database
- Input: a certificate reply from a certificate authority
- Output: certificate signing request
|
- Key pair entries
- Trusted certificate entries
- Keystores
|
- Standard input (default for reads)
- Standard output (default for writes)
|
-genkey
|
- Creates a new key pair entry
- Creates a keystore, if none exists
| User supplied
|
|
|
-help
| Displays help for the Keytool utility
|
|
| Issuing the keytool command with no options also displays help
|
-identitydb
| Migrates an identity database to a keystore database
| Requires the -file option to supply the identity database name
|
| Only trusted entries are imported
|
-import
| Brings the contents of a file into the keystore
| Requires the -file option to identify the file source
|
- Trusted certificate entries
| Automatically invokes the -printcert option (unless the
-noprompt option is included)
|
-J command
| Passes a Java command to the interpreter
|
|
|
|
-keyalg
| Signifies the algorithm to be used for key pair creation
|
|
- Key pair entries
- Trusted certificate entries
| Entry for this option determines the value for the -sigalg
option
|
-keysize
| Specifies a key size
| Requires a value in multiples of 64 bits
|
- Key pair entries
- Trusted certificate entries
|
- 1024 bits (default)
- Range is from 512 to 1024 bits
|
-keypass
| Assigns a password to a key pair
| User supplied
|
- Key pair entries
- Trusted certificate entries
| Case insensitive
|
-keystore
| Customizes the name and location of a keystore
| User supplied
|
- Key pair entries
- Trusted certificate entries
- Keystores
| The -genkey, -import, or -identitydb
options create a keystore if none exists
|
-keypasswd
| Changes a password for a keystore entry
| User supplied
|
- Key pair entries
- Trusted certificate entries
| Case insensitive
|
-keyclone
| Clones a key store entry
| Requires a -dest option to identify the destination alias
|
- Key pair entries
- Trusted certificate entries
|
|
-list
|
- Display an entry if an alias is supplied
- Display the contents of a keystore if no alias is supplied
|
|
- Key pair entries
- Trusted certificate entries
- Keystores
| MD5 fingerprint (default)
|
-new
| Identifies the new password
| User supplied
|
- Key pair entries
- Trusted certificate entries
- Keystores
| Combined with the -keypasswd and -storepasswd
options
|
-noprompt
| Indicates that no prompts are to be issued during an import operation
|
|
- Trusted certificate entries
| Suppresses the default -printcert option associated with a
-import option
|
-printcert
| Prints a certificate fingerprint
|
|
- Trusted certificate entries
| Binary code format (default)
|
-rfc
| Converts output display to printable encoding format
| Combined with the -printcert and -list options
|
- Trusted certificate entries
| Uses Internet RFC 1421 standard
|
-selfcert
| Generates a new self-signed certificate
|
- If -dname option is supplied, issuer and subject take the
X.500 Distinguished Name
- If no -dname option is supplied, issuer and subject take
X.500 Distinguished Name of alias
|
- Key pair entries
- Trusted certificate entries
|
- Output: X.509 v1 self-signed certificate
|
-sigalg
| Specifies the algorithm to be used to sign the certificate
|
|
- Key pair entries
- Trusted certificate entries
| Correlates with the value for the -keyalg option
|
-storetype
| Assigns a type to a keystore or an entry into a keystore
| A Service Provider Interface format
|
- Key pair entries
- Trusted certificate entries
- Keystores
|
- JKS (Default)
- Case insensitive
|
-storepass
| Assigns a password to a keystore
| User supplied
|
| Case insensitive
|
-trustcacerts
| Indicates that the certificate is to be considered for inclusion in the
list of trusted certificates (the cacerts file)
|
|
- Trusted certificate entries
|
|
-v
| Designates verbose output
|
|
|
|
-validity
| Identifies an expiration period
|
|
- Key pair entries
- Trusted certificate entries
| 90 days (default)
|