Digital certificates

A digital certificate is mostly used for proving ownership of digital documents, or other types of digital files. Digital certificates are issued to both companies and individuals. Usually, a Certification Authority (CA) is required to confirm the identity of a digital certificate owner.

Encryption keys management

Java Keytool

keytool utility can be used to generate private and public keys. It can be used to generate certificates, so that you can distribute them.

A keystore file is the file where the keys are stored. Here are stored both private and public keys. For the keys from the keystore aliases can be set to easily manage them.

The keystore file is protected by a password. The private keys are also protected by their own passwords, that are required when you want to get the private keys from the keystore.


.jks means Java KeyStore.


Note that -exportcert and -importcert were previously named -export and -import.

Also note that sometimes the extension of the keystore.jks file is missing. Such a file is cacerts, which is a .jks file.

Search certificates

List all certificates from a keystore:

keytool -v -list -keystore mykeystore.jks

There are more details listed including the alias for the certificates. The alias can be used to export a certificate.

Export certificates

To export a certificate from a keystore:

keytool -keystore mykeystore.jks -alias aliasOfCertificate -export -file certificate.crt -rfc

After running the command, the certificate.crt certificate file will be exported. RFC format is more human-readable than non-RFC binary format, which is the default used.

To export all certificates from a cacerts file:

for cert in `keytool -list -keystore cacerts -storepass changeit | grep trustedCertEntry | grep -Eo "^[^,]*"`;do
    `keytool -exportcert -keystore cacerts -alias $cert -file "${cert}".crt <<< $'changeit'`

Import certificates in the keystore

Load the certificates

In RHEL add the .crt certificates in /etc/pki/ca-trust/source/anchors. Then, run update-ca-trust as root to import them.

To see the changes run trust list. The contents from file /etc/pki/ca-trust/extracted/java/cacerts might also have been changed by the update.

Generate a self-signed certificate

Generate a valid certificate for 10000 days:

keytool -genkey -v -keystore my_release_key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

KEYTOOL command requires Java JDK to be installed. The KEYTOOL executable can be found in "%JAVA_HOME%\bin" directory.

Using digital certificates

Sign Android APK files

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my_release_key.keystore my_application.apk alias_name

Location of JARSIGNER command in the file system: "%JAVA_HOME%\bin\jarsigner".