The manage-certificates Command-Line Tool

Manage certificates and private keys in a JKS or PKCS #12 key store.

Usage

manage-certificates {subCommand} {arguments}

This tool uses subcommands to indicate which function you want to perform.
Jump to a list of the available subcommands.

Global Arguments

Exclusive Argument Sets

Examples

    manage-certificates list-certificates --keystore config/keystore \
         --keystore-password-file config/keystore.pin --verbose \
         --display-keytool-command
    manage-certificates export-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --output-file server-cert.crt --output-format PEM --verbose \
         --display-keytool-command
    manage-certificates export-private-key --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --private-key-password-file config/server-cert-private-key.pin \
         --alias server-cert --output-file server-cert.private-key \
         --output-format PEM --verbose --display-keytool-command
    manage-certificates import-certificate --keystore config/keystore \
         --keystore-type JKS --keystore-password-file config/keystore.pin \
         --alias server-cert --certificate-file server-cert.crt \
         --private-key-file server-cert.private-key \
         --display-keytool-command
    manage-certificates delete-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert
    manage-certificates generate-self-signed-certificate \
         --keystore config/keystore --keystore-type PKCS12 \
         --keystore-password-file config/keystore.pin --alias ca-cert \
         --subject-dn "CN=Example Authority,O=Example Corporation,C=US" \
         --days-valid 7300 --validity-start-time 20170101000000 \
         --key-algorithm RSA --key-size-bits 4096 \
         --signature-algorithm SHA256withRSA --basic-constraints-is-ca true \
         --key-usage key-cert-sign --key-usage crl-sign \
         --display-keytool-command
    manage-certificates generate-certificate-signing-request \
         --keystore config/keystore --keystore-type PKCS12 \
         --keystore-password-file config/keystore.pin \
         --output-file server-cert.csr --alias server-cert \
         --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
         --key-algorithm EC --key-size-bits 256 \
         --signature-algorithm SHA256withECDSA \
         --subject-alternative-name-dns ldap1.example.com \
         --subject-alternative-name-dns ldap2.example.com \
         --extended-key-usage server-auth --extended-key-usage client-auth \
         --display-keytool-command
    manage-certificates generate-certificate-signing-request \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --use-existing-key-pair --inherit-extensions \
         --display-keytool-command
    manage-certificates sign-certificate-signing-request \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --request-input-file server-cert.csr \
         --certificate-output-file server-cert.crt --alias ca-cert \
         --days-valid 730 --include-requested-extensions \
         --display-keytool-command
    manage-certificates change-certificate-alias --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --current-alias server-cert --new-alias server-certificate \
         --display-keytool-command
    manage-certificates change-keystore-password --keystore config/keystore \
         --current-keystore-password-file config/current.pin \
         --new-keystore-password-file config/new.pin \
         --display-keytool-command
    manage-certificates trust-server-certificate --hostname ldap.example.com \
         --port 636 --keystore config/truststore \
         --keystore-password-file config/truststore.pin \
         --alias ldap.example.com:636
    manage-certificates check-certificate-usability \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert
    manage-certificates display-certificate-file \
         --certificate-file server-cert.crt --verbose \
         --display-keytool-command
    manage-certificates display-certificate-signing-request-file \
         --certificate-signing-request-file server-cert.csr \
         --display-keytool-command
    manage-certificates --help-subcommands

 

Available Subcommands

 

Usage For Subcommand list-certificates

Displays a list of some or all of the certificates in a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates list-certificates list-certificates \
         --keystore config/keystore
    manage-certificates list-certificates list-certificates \
         --keystore config/keystore.p12 \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --verbose --display-pem-certificate --display-keytool-command
    manage-certificates list-certificates list-certificates \
         --use-jvm-default-trust-store

 

Usage For Subcommand export-certificate

Exports a certificate or certificate chain from a key store.

Arguments

Required Argument Sets

Dependent Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates export-certificate export-certificate \
         --keystore config/keystore --alias server-cert
    manage-certificates export-certificate export-certificate \
         --keystore config/keystore.p12 \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --export-certificate-chain --output-format DER \
         --output-file certificate-chain.der --display-keytool-command

 

Usage For Subcommand export-private-key

Exports a certificate or certificate chain from a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates export-private-key export-private-key \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert
    manage-certificates export-private-key export-private-key \
         --keystore config/keystore.p12 \
         --keystore-password-file config/keystore.pin \
         --private-key-password-file config/server-cert-key.pin \
         --alias server-cert --output-format DER \
         --output-file server-cert-key.der

 

Usage For Subcommand import-certificate

Imports a certificate or certificate chain, and optionally a private key, into a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates import-certificate import-certificate \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --certificate-file server-cert.crt
    manage-certificates import-certificate import-certificate \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --certificate-file server-cert.crt \
         --certificate-file server-cert-issuer.crt \
         --private-key-file server-cert.key --display-keytool-command

 

Usage For Subcommand delete-certificate

Removes a certificate from a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates delete-certificate delete-certificate \
         --keystore config/keystore --alias server-cert

 

Usage For Subcommand generate-self-signed-certificate

Generates a self-signed certificate in a key store.

Arguments

Required Argument Sets

Dependent Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates generate-self-signed-certificate \
         generate-self-signed-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --subject-dn "CN=ldap.example.com,O=Example Corp,C=US"
    manage-certificates generate-self-signed-certificate \
         generate-self-signed-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --replace-existing-certificate --inherit-extensions
    manage-certificates generate-self-signed-certificate \
         generate-self-signed-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --subject-dn "CN=ldap.example.com,O=Example Corp,C=US" \
         --days-valid 3650 --validity-start-time 20170101000000 \
         --key-algorithm RSA --key-size-bits 4096 \
         --signature-algorithm SHA256withRSA \
         --subject-alternative-name-dns ldap1.example.com \
         --subject-alternative-name-dns ldap2.example.com \
         --subject-alternative-name-ip-address 1.2.3.4 \
         --subject-alternative-name-ip-address 1.2.3.5 \
         --extended-key-usage server-auth --extended-key-usage client-auth \
         --display-keytool-command
    manage-certificates generate-self-signed-certificate \
         generate-self-signed-certificate --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias ca-cert \
         --subject-dn "CN=Example Certification Authority,O=Example Corp,C=US" \
         --days-valid 7300 --validity-start-time 20170101000000 \
         --key-algorithm EC --key-size-bits 256 \
         --signature-algorithm SHA256withECDSA \
         --basic-constraints-is-ca true --key-usage key-cert-sign \
         --key-usage crl-sign --display-keytool-command

 

Usage For Subcommand generate-certificate-signing-request

Generates a certificate signing request (CSR) for a private key in a key store, optionally generating the private key in the process. The certificate signing request may be either written to standard output or to a specified output file.

Arguments

Required Argument Sets

Dependent Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates generate-certificate-signing-request \
         generate-certificate-signing-request --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --subject-dn "CN=ldap.example.com,O=Example Corp,C=US"
    manage-certificates generate-certificate-signing-request \
         generate-certificate-signing-request --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --use-existing-key-pair --inherit-extensions \
         --output-file server-cert.csr
    manage-certificates generate-certificate-signing-request \
         generate-certificate-signing-request --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --subject-dn "CN=ldap.example.com,O=Example Corp,C=US" \
         --key-algorithm EC --key-size-bits 256 \
         --signature-algorithm SHA256withECDSA \
         --subject-alternative-name-dns ldap1.example.com \
         --subject-alternative-name-dns ldap2.example.com \
         --subject-alternative-name-ip-address 1.2.3.4 \
         --subject-alternative-name-ip-address 1.2.3.5 \
         --extended-key-usage server-auth --extended-key-usage client-auth \
         --output-file server-cert.csr --display-keytool-command

 

Usage For Subcommand sign-certificate-signing-request

Signs a certificate signing request (CSR) provided in a specified input file using a certificate contained in a specified key store. The signed certificate may be written to either standard output or to a specified file.

Arguments

Required Argument Sets

Dependent Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates sign-certificate-signing-request \
         sign-certificate-signing-request \
         --request-input-file server-cert.csr --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --signing-certificate-alias ca-cert --include-requested-extensions
    manage-certificates sign-certificate-signing-request \
         sign-certificate-signing-request \
         --request-input-file server-cert.csr \
         --certificate-output-file server-cert.der --output-format DER \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --signing-certificate-alias ca-cert --days-valid 730 \
         --validity-start-time 20170101000000 --include-requested-extensions \
         --issuer-alternative-name-email-address 'ca@example.com'

 

Usage For Subcommand change-certificate-alias

Changes the alias of a certificate in a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates change-certificate-alias change-certificate-alias \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --current-alias server-cert --new-alias server-certificate \
         --display-keytool-command

 

Usage For Subcommand change-keystore-password

Changes the password used to protect the contents of a key store.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates change-keystore-password change-keystore-password \
         --keystore config/keystore \
         --current-keystore-password-file config/current.pin \
         --new-keystore-password-file config/new.pin \
         --display-keytool-command

 

Usage For Subcommand change-private-key-password

Changes the password used to protect a specified private key.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates change-private-key-password \
         change-private-key-password --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert \
         --current-private-key-password-file config/current.pin \
         --new-private-key-password-file config/new.pin \
         --display-keytool-command

 

Usage For Subcommand trust-server-certificate

Initiates a secure connection to a server to get that server's certificate chain, and then adds those certificates to a key store so that it can be used as a trust store for that server.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates trust-server-certificate trust-server-certificate \
         --hostname ds.example.com --port 636 --keystore config/truststore \
         --keystore-password-file config/truststore.pin --verbose
    manage-certificates trust-server-certificate trust-server-certificate \
         --hostname ds.example.com --port 389 --use-ldap-start-tls \
         --keystore config/truststore \
         --keystore-password-file config/truststore.pin --issuers-only \
         --alias ds-start-tls-cert --no-prompt

 

Usage For Subcommand check-certificate-usability

Examines a key store to determine how suitable a specified certificate is for use as a server certificate.

Arguments

Required Argument Sets

Exclusive Argument Sets

Examples

    manage-certificates check-certificate-usability \
         check-certificate-usability --keystore config/keystore \
         --keystore-password-file config/keystore.pin --alias server-cert

 

Usage For Subcommand display-certificate-file

Displays information about all of the certificates contained in a file. The certificates may be formatted in either the text-based PEM or the binary DER format, and if the file multiple certificates, then all certificates must use the same format.

Arguments

Examples

    manage-certificates display-certificate-file display-certificate-file \
         --certificate-file certificate.pem
    manage-certificates display-certificate-file display-certificate-file \
         --certificate-file certificate.pem --verbose \
         --display-keytool-command

 

Usage For Subcommand display-certificate-signing-request-file

Displays information about a certificate signing request (CSR) contained in a file. The CSR may be formatted in either the text-based PEM or the binary DER format.

Arguments

Examples

    manage-certificates display-certificate-signing-request-file \
         display-certificate-signing-request-file \
         --certificate-signing-request-file server-cert.csr \
         --display-keytool-command