keytool (original) (raw)

• {-alias _alias_}: Alias name of the entry to process
• {-keyalg _alg_}: Key algorithm name
• {-keysize _size_}: Key bit size
• {-groupname _name_}: Group name. For example, an Elliptic Curve name
• {-sigalg _alg_}: Signature algorithm name
• -destalias _alias_: Destination alias
• [-dname _name_]: Distinguished name
• {-startdate _date_}: Certificate validity start date and time
• [-ext _value_]*: X.509 extension
• {-validity _days_}: Validity number of days
• [-keypass _arg_]: Key password
• {-keystore _keystore_}: Keystore name
• [-storepass _arg_]: Keystore password
• {-storetype _type_}: Keystore type
• {-providername _name_}: Provider name
• {-providerclass _class_ [-providerarg _arg_]}: Add security provider by fully qualified class name with an optional configure argument.
• {-providerpath _list_}: Provider classpath
• {-v}: Verbose output
• {-protected}: Password provided through a protected mechanism

Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.

The keyalg value specifies the algorithm to be used to generate the key pair, and the keysize value specifies the size of each key to be generated. The sigalg value specifies the algorithm that should be used to sign the self-signed certificate. This algorithm must be compatible with the keyalg value.

The groupname value specifies a named group when generating a key pair. The groupname option is preferred over the keysize option because there may be more than one curve of the same size. For example:

keytool -genkeypair -keyalg EC -groupname secp384r1

will generate an Elliptic Curve key pair by using the secp384r1 curve.

The dname value specifies the X.500 Distinguished Name to be associated with the value of alias, and is used as the issuer and subject fields in the self-signed certificate. If no distinguished name is provided at the command line, then the user is prompted for one.

The value of keypass is a password used to protect the private key of the generated key pair. If no password is provided, then the user is prompted for it. If you press the Return key at the prompt, then the key password is set to the same password as the keystore password. The keypass value must be at least 6 characters.

The value of startdate specifies the issue time of the certificate, also known as the "Not Before" value of the X.509 certificate's Validity field.

The option value can be set in one of these two forms:

([+-]nnn[ymdHMS])+

[yyyy/mm/dd] [HH:MM:SS]

With the first form, the issue time is shifted by the specified value from the current time. The value is a concatenation of a sequence of subvalues. Inside each subvalue, the plus sign (+) means shift forward, and the minus sign (-) means shift backward. The time to be shifted is nnn units of years, months, days, hours, minutes, or seconds (denoted by a single character of y, m, d, H, M, or S respectively). The exact value of the issue time is calculated using the java.util.GregorianCalendar.add(int field, int amount) method on each subvalue, from left to right. For example, by specifying, the issue time will be:

Calendar c = new GregorianCalendar(); c.add(Calendar.YEAR, -1); c.add(Calendar.MONTH, 1); c.add(Calendar.DATE, -1); return c.getTime()

With the second form, the user sets the exact issue time in two parts, year/month/day and hour:minute:second (using the local time zone). The user can provide only one part, which means the other part is the same as the current date (or time). The user must provide the exact number of digits as shown in the format definition (padding with 0 when shorter). When both the date and time are provided, there is one (and only one) space character between the two parts. The hour should always be provided in 24 hour format.

When the option is not provided, the start date is the current time. The option can be provided at most once.

The value of valDays specifies the number of days (starting at the date specified by -startdate, or the current date when -startdate is not specified) for which the certificate should be considered valid.

This command was named -genkey in earlier releases. The old name is still supported in this release. The new name, -genkeypair, is preferred going forward.