Generate a Java keystore and key pair
keytool -keystore keystore.jks -genkeypair -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12
Generate a Java keystore and key pair and include Distinguished Name as one-liner and the Extensions
keytool -keystore keystore.jks -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=Hakan,OU=Amsterdam,O=Luminis,C=NL" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -deststoretype pkcs12
Generate a Java keystore and import a certificate
keytool -keystore truststore.jks -importcert -file server.crt -alias server
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -keystore keystore.jks -alias server -keyalg rsa -file server.csr
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias my-newly-trusted-ca -file root-ca.crt -keystore keystore.jks
Check a stand-alone certificate
keytool -printcert -v -file server.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias server
Delete a certificate from a Java keystore
keytool -delete -alias server -keystore keystore.jks
Change a Java keystore password
keytool -storepasswd -keystore keystore.jks
Export a certificate to a .crt file
keytool -exportcert -keystore keystore.jks -alias server -rfc -file server.crt
Export Java keystore to a .p12 file
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12