Ping Identity Data Governance Server Command-Line Tool Reference

change-certificate-alias Examples

Changes the alias of the existing 'server-cert' certificate to be 'server-certificate'.

manage-certificates change-certificate-alias --keystore config/keystore \
     --keystore-password-file config/keystore.pin --current-alias server-cert \
     --new-alias server-certificate --display-keytool-command

change-certificate-alias Arguments

--keystore {path}

Description	The path to the key store file containing the alias to rename. This is required, and the keystore file must exist.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. A key store password is required, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The path to a file containing the password needed to access the contents of the key store. A key store password is required, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. A key store password is required so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.

--private-key-password {password}

Description	The password (also called a passphrase or PIN) used to protect the private key. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if the target alias includes a private key, and that private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password used to protect the private key. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if the target alias includes a private key, and that private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

Interactively prompt for the private key password. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if the target alias includes a private key, and that private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided.

--current-alias {alias}

Description	The current alias for the key store entry to rename. This is required, and it may only be provided once.
Required	Yes
Multi-Valued	No

--new-alias {alias}

Description	The new alias to assign to the target entry in the key store. This is required, and it may only be provided once.
Required	Yes
Multi-Valued	No

--display-keytool-command

Description

Display a command that that can be invoked to achieve a similar result with the Java keytool utility. Note that this may just be an approximation, since the manage-certificates and keytool utilities do not provide exactly the same sets of functionality.

change-private-key-password Examples

Changes the password for the 'server-cert' private key entry in the 'config/keystore' key store from the current password contained in file 'config/current.pin' to the new password contained in file 'config/new.pin'.

manage-certificates change-private-key-password --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --current-private-key-password-file config/current.pin \
     --new-private-key-password-file config/new.pin --display-keytool-command

change-private-key-password Arguments

--keystore {path}

Description	The path to the key store file containing the private key entry for which to change the password. This is required, and the key store file must exist.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. A key store password is required, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The path to a file containing the password needed to access the contents of the key store. A key store password is required, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

--alias {alias}

Description	The alias (also called a nickname) of the private key entry for which to change the password. This is required.
Required	Yes
Multi-Valued	No

--current-private-key-password {password}

Description	The current password used to encrypt the private key. The current private key password is required, so one of the --current-private-key-password, --current-private-key-password-file, and --prompt-for-current-private-key-password arguments is required.
Required	No
Multi-Valued	No

--current-private-key-password-file {path}

Description	The path to a file containing the current password used to encrypt the private key. The current private key password is required, so one of the --current-private-key-password, --current-private-key-password-file, and --prompt-for-current-private-key-password arguments is required. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-current-private-key-password

Description

Interactively prompt for the current private key password. The current private key password is required, so one of the --current-private-key-password, --current-private-key-password-file, and --prompt-for-current-private-key-password arguments is required.

--new-private-key-password {password}

Description	The new password to use to encrypt the private key. The new private key password is required, so one of the --new-private-key-password, --new-private-key-password-file, and --prompt-for-new-private-key-password arguments is required.
Required	No
Multi-Valued	No

--new-private-key-password-file {path}

Description	The path to a file containing the new password to use to encrypt the private key. The new private key password is required, so one of the --new-private-key-password, --new-private-key-password-file, and --prompt-for-new-private-key-password arguments is required. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-new-private-key-password

Description

Interactively prompt for the new private key password. The new private key password is required, so one of the --new-private-key-password, --new-private-key-password-file, and --prompt-for-new-private-key-password arguments is required.

--display-keytool-command

Description

Examines a key store to determine how suitable a specified certificate is for use as a server certificate.

Displays information about all of the certificates contained in a file. The certificates may be formatted in either the text-based PEM or the binary DER format, and if the file multiple certificates, then all certificates must use the same format.

Displays information about a certificate signing request (CSR) contained in a file. The CSR may be formatted in either the text-based PEM or the binary DER format.

export-certificate Examples

Export the 'server-cert' certificate in PEM format to standard output.

manage-certificates export-certificate --keystore config/keystore \
     --alias server-cert

Export the 'server-cert' certificate, and all of the certificates in its issuer chain, to the specified output file in the binary DER format. It will also display a command that can be used to accomplish a similar result using the Java keytool utility.

manage-certificates export-certificate --keystore config/keystore.p12 \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --export-certificate-chain --output-format DER \
     --output-file certificate-chain.der --display-keytool-command

export-certificate Arguments

--keystore {path}

Description	The path to the key store file containing the certificates to export. This is required, and the key store file must exist.
Required	No
Multi-Valued	No

--use-jvm-default-trust-store

Description

Export certificates from the JVM-default trust store (/usr/java/oracle/jdk1.8.0_181/jre/lib/security/cacerts).

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. A key store password is optional for some key store types, but may be required for others.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The path to a file containing the password needed to access the contents of the key store. A key store password is optional for some key store types, but may be required for others. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. A key store password is optional for some key store types, but may be required for others.

--alias {alias}

Description	The alias (also called a nickname) of the certificate to export. This is required, and it may only be provided once.
Required	Yes
Multi-Valued	No

--export-certificate-chain

Description

Indicates that the entire certificate chain (the target certificate and all of the certificates in its issuer chain) should be exported rather than just the specified target certificate.

--output-format {format}

Description	The output format to use for the exported certificate. The value may be either 'PEM' (to export the certificate in the text-based PEM format), or 'DER' (to export the certificate in the binary DER format). If this is not provided, then the PEM output format will be used.
Default Value	PEM
Required	No
Multi-Valued	No

--output-file {path}

Description	The path to the output file to which the exported certificate should be written. An output file is optional when using the PEM format, but required when using the DER format. If no output file is provided, then the exported certificate will be written to standard output.
Required	No
Multi-Valued	No

--separate-file-per-certificate

Description

Indicates that if multiple certificates are to be exported, then each certificate should be written to a different file rather than concatenating all of them into the same file. This can only be used if both the --export-certificate-chain and --output-file arguments are also provided.

--display-keytool-command

Description

Display a command that can be invoked to achieve a similar result with the Java keytool utility. Note that this may just be an approximation, since the manage-certificates and keytool utilities do not provide exactly the same sets of functionality.

export-private-key Examples

Export the private key for the 'server-cert' certificate to standard output in PEM format.

manage-certificates export-private-key --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert

Export the private key for the 'server-cert' certificate to the specified output file in the binary DER format.

manage-certificates export-private-key --keystore config/keystore.p12 \
     --keystore-password-file config/keystore.pin \
     --private-key-password-file config/server-cert-key.pin --alias server-cert \
     --output-format DER --output-file server-cert-key.der

export-private-key Arguments

--keystore {path}

Description	The path to the key store file containing the private key to export. This is required, and the key store file must exist.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. A key store password is required when exporting a private key, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The path to a file containing the password needed to access the contents of the key store. A key store password is required when exporting a private key, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. A key store password is required when exporting a private key, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.

--private-key-password {password}

Description	The password (also called a passphrase or PIN) used to protect the private key. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if a private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password used to protect the private key. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if a private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

Interactively prompt for the private key password. In many cases, the private key password will be the same as the password used to protect the key store itself, and in such instances, the private key password can be omitted and the key store password will be used. However, if a private key is protected with a different password than the key store itself, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments must be provided.

--alias {alias}

Description	The alias (also called a nickname) of the private key to export. This is required, and it may only be provided once.
Required	Yes
Multi-Valued	No

--output-format {format}

Description	The output format to use for the exported private key. The value may be either 'PEM' (to export the private key in the text-based PEM format), or 'DER' (to export the key in the binary DER format). If this is not provided, then the PEM output format will be used.
Default Value	PEM
Required	No
Multi-Valued	No

--output-file {path}

Description	The path to the output file to which the exported private key should be written. An output file is optional when using the PEM format, but required when using the DER format. If no output file is provided, then the exported private key will be written to standard output.
Required	No
Multi-Valued	No

Generates a certificate signing request (CSR) for a private key in a key store, optionally generating the private key in the process. The certificate signing request may be either written to standard output or to a specified output file.

generate-certificate-signing-request Examples

Generates a certificate signing request for a certificate with a subject DN of 'CN=ldap.example.com,O=Example Corp,C=US'. The request will generate a new key pair in the 'server-cert' alias with a 2048-bit RSA key and a signature algorithm of SHA256withRSA. The generated certificate signing request will be sent to standard output.

manage-certificates generate-certificate-signing-request \
     --keystore config/keystore --keystore-password-file config/keystore.pin \
     --alias server-cert --subject-dn "CN=ldap.example.com,O=Example Corp,C=US"

Generates a certificate signing request to replace the existing certificate with the 'server-cert' alias. The new certificate will include the same subject, key and signature algorithms, and set of extensions as the existing certificate, and the request will be written to the server-cert.csr output file.

manage-certificates generate-certificate-signing-request \
     --keystore config/keystore --keystore-password-file config/keystore.pin \
     --alias server-cert --use-existing-key-pair --inherit-extensions \
     --output-file server-cert.csr

Generates a certificate signing request for a certificate with a subject DN of 'CN=ldap.example.com,O=Example Corp,C=US', a subject alternate name extension with DNS names of 'ldap1.example.com' and 'ldap2.example.com' and IP addresses of 1.2.3.4 and 1.2.3.5, and an extended key usage extension with the server-auth and client-auth usages. The certificate will use a newly-generated key pair with a 256-bit elliptic curve key and a signature algorithm of SHA256withECDSA. The request will be written to the server-cert.csr output file.

manage-certificates generate-certificate-signing-request \
     --keystore config/keystore --keystore-password-file config/keystore.pin \
     --alias server-cert --subject-dn "CN=ldap.example.com,O=Example Corp,C=US" \
     --key-algorithm EC --key-size-bits 256 \
     --signature-algorithm SHA256withECDSA \
     --subject-alternative-name-dns ldap1.example.com \
     --subject-alternative-name-dns ldap2.example.com \
     --subject-alternative-name-ip-address 1.2.3.4 \
     --subject-alternative-name-ip-address 1.2.3.5 \
     --extended-key-usage server-auth --extended-key-usage client-auth \
     --output-file server-cert.csr --display-keytool-command

generate-certificate-signing-request Arguments

--output-format {format}

Description	The output format to use for the the generated certificate signing request. The value may be either 'PEM' (to export the request in the text-based PEM format), or 'DER' (to export the request in the binary DER format). If this is not provided, then the PEM output format will be used.
Default Value	PEM
Required	No
Multi-Valued	No

--output-file {path}

Description	The path to the output file to which the certificate signing request should be written. If this is not provided, then the certificate signing request will be written to standard output.
Required	No
Multi-Valued	No

--keystore {path}

Description	The path to the key store file that contains the key (or in which the key will be generated) to use for the certificate signing request. This is required, but if the file does not exist, then it will be created.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificate signing requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificate signing requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificate signing requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.

--private-key-password {password}

Description	The password (also called a passphrase or PIN) to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

Interactively prompt for the password to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. The password must contain at least six characters.

--keystore-type {type}

Description	The key store type for the key store to create. This argument should only be provided when creating a new key store, and it will be ignored if the key store already exists. The value must be either 'JKS' for the non-standard Java Key Store format, or 'PKCS12' for the standard PKCS #12 format. If this is not provided, then a default key store type of 'JKS' will be used for newly-created key stores.
Required	No
Multi-Valued	No

--alias {alias}

Description	The alias (also called a nickname) of the private key to use to generate the certificate signing request. If the --replace-existing-certificate argument is provided, then this must be the alias of an existing private key. If the --replace-existing-certificate argument is not provided, then the alias must not already exist in the key store, and a corresponding key pair will be created in that alias.
Required	Yes
Multi-Valued	No

--use-existing-key-pair

Description

Indicates that the certificate signing request should use an existing key pair in the key store, identified by the specified alias. If this argument is not provided, then a new key pair will be generated for the certificate signing request and stored in the key store.

--subject-dn {dn}

Description	The subject DN for the certificate signing request. This must be provided unless then --replace-existing-certificate argument is given. If the --replace-existing-certificate argument is provided, then the --subject-dn argument may be omitted if you want to reuse the same subject as the existing certificate. A subject DN typically includes at least a 'CN' attribute (which in a server certificate should be the hostname that clients are expected to use when connecting to the server, and in other certificates indicates the purpose of that certificate), and may also include additional attributes like 'OU' (the associated department name), 'O' (the company or organization name), 'L' (the city or locality name), 'ST' (the full name -- NOT the two-letter abbreviation -- of the state or province), 'C' (the two-letter country code -- NOT the full country name). For example: 'CN=ldap.example.com,OU=Directory Services,O=Example Corporation,L=Austin,ST=Texas,C=US'.
Required	No
Multi-Valued	No

--key-algorithm {name}

Description	The name of the key algorithm to use to generate the key pair. If present, the value will typically be 'RSA' or 'EC' (for elliptic curve). This argument must not be provided if the --replace-existing-certificate argument is used. If neither this argument nor the --replace-existing-certificate argument is provided, then a default key algorithm of 'RSA' will be used.
Required	No
Multi-Valued	No

--key-size-bits {bits}

Description	The name of the key algorithm to use to generate the key pair. If present, the value will typically be 'RSA' or 'EC' (for elliptic curve). This argument must not be provided if the --replace-existing-certificate argument is used. If neither this argument nor the --replace-existing-certificate argument is provided, then a default key algorithm of 'RSA' will be used.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--signature-algorithm {name}

Description	The name of the algorithm to use to sign the certificate. This argument must not be provided if the --replace-existing-certificate argument is used. This argument must be provided if the --key-algorithm argument is used to specify an algorithm other than 'RSA'. If neither this argument nor the --replace-existing-certificate argument is provided, then a default signature algorithm of 'SHA256withRSA' will be used.
Required	No
Multi-Valued	No

--inherit-extensions

Description

This argument can only be used in conjunction with the --replace-existing-certificate argument, and it indicates that the requested certificate should inherit all of the same extension values as the certificate being replaced (although extensions known to apply to the certificate's issuer, like authority key identifier and issuer alternative name, may be excluded). If the --replace-existing-certificate argument is provided without the --inherit-extensions argument, then the new certificate will only have the extensions that are explicitly specified using other arguments.

--subject-alternative-name-dns {name}

Description	Indicates that the certificate signing request should include a subject alternative name extension with the specified DNS hostname. This can be used to help clients trust a server certificate if they connect to the server using a different hostname than is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple alternate hostnames, and hostnames can have an asterisk as their leftmost component (for example, '.example.com' or '.east.example.com') to match any value in that component. Each value must contain only ASCII characters, so internationalized domain names must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-ip-address {name}

Description	Indicates that the certificate signing request should include a subject alternative name extension with the specified IP address. This can be used to help clients trust a server certificate if they connect to the server using an IP address rather than the hostname that is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple IP addresses, and each value must be a valid IPv4 or IPv6 address. There is no support for wildcards, CIDR, other mechanisms for specifying a range of addresses.
Required	No
Multi-Valued	Yes

--subject-alternative-name-email-address {name}

Description	Indicates that the certificate signing request should include a subject alternative name extension with the specified email address (technically, RFC 822 name) value. This can be provided multiple times to specify multiple email addresses. Each value must contain only ASCII characters, so internationalized email addresses must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-uri {uri}

Description	Indicates that the certificate signing request should include a subject alternative name extension with the specified URI value. This can be provided multiple times to specify multiple URIs. Each value must contain only ASCII characters, so internationalized resource identifiers must be mapped to URIs as described in RFC 3987.
Required	No
Multi-Valued	Yes

--subject-alternative-name-oid {oid}

Description	Indicates that the certificate signing request should include a subject alternative name extension with the specified OID as a resource identifier. This can be provided multiple times to specify multiple OIDs, and each value must be the string representation of a valid object identifier.
Required	No
Multi-Valued	Yes

--basic-constraints-is-ca {true|false}

Description	Indicates that the certificate signing request should include a basic constraints extension that indicates whether the certificate should be considered a certification authority. If present, the value must be either 'true' or 'false'.
Required	No
Multi-Valued	No

--basic-constraints-maximum-path-length {value}

Description	Indicates that the certificate should include a basic constraints extension that specifies that there must not be more than the specified number of intermediate certificates between that issuer certificate and the subject certificate in a certificate chain. This argument can only be provided in conjunction with a --basic-constraints-is-ca value of 'true'.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--key-usage {value}

Description	Indicates that the certificate signing request should include a key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'digital-signature', 'non-repudiation', 'key-encipherment', 'data-encipherment', 'key-agreement', 'key-cert-sign', 'crl-sign', 'encipher-only', and 'decipher-only'. This argument can be provided multiple times to specify multiple key usage values.
Required	No
Multi-Valued	Yes

--extended-key-usage {value}

Description	Indicates that the certificate signing request should include an extended key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'server-auth', 'client-auth', 'code-signing', 'email-protection', 'time-stamping', and 'ocsp-signing', or the string representation of any valid object identifier. This argument can be provided multiple times to specify multiple extended key usage values.
Required	No
Multi-Valued	Yes

--extension {value}

Description	Indicates that the certificate signing request should include an extension with the specified content. The value must be in the form oid:criticality:value, where oid is the OID that identifies the type of extension, criticality is a value of either 'true' or 'false', and value is the hexadecimal representation of the extension value (for example, --ext 2.5.29.19:true:30030101ff).
Required	No
Multi-Valued	Yes

--display-keytool-command

Description

generate-self-signed-certificate Examples

Generates a self-signed certificate with an alias of 'server-cert' and subject DN of 'CN=ldap.example.com,O=Example Corp,C=US'. The certificate will use a 2048-bit RSA key, a signature algorithm of SHA256withRSA, and a validity of 365 days, starting immediately.

manage-certificates generate-self-signed-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --subject-dn "CN=ldap.example.com,O=Example Corp,C=US"

Generates a self-signed certificate to replace the existing certificate with the 'server-cert' alias. The new certificate will include the same subject, key and signature algorithms, and set of extensions as the existing certificate, and it will have a validity of 365 days, starting immediately.

manage-certificates generate-self-signed-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --replace-existing-certificate --inherit-extensions

Generates a self-signed server certificate with an alias of 'server-cert', a subject DN of 'CN=ldap.example.com,O=Example Corp,C=US', a 4096-bit RSA key, a signature algorithm of SHA256withRSA, a subject alternate name extension with DNS names of 'ldap1.example.com' and 'ldap2.example.com' and IP addresses of 1.2.3.4 and 1.2.3.5, and an extended key usage extension with the server-auth and client-auth usages. The certificate will have a validity of 3650 days, starting at midnight on January 1, 2017 in the local time zone.

manage-certificates generate-self-signed-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --subject-dn "CN=ldap.example.com,O=Example Corp,C=US" --days-valid 3650 \
     --validity-start-time 20170101000000 --key-algorithm RSA \
     --key-size-bits 4096 --signature-algorithm SHA256withRSA \
     --subject-alternative-name-dns ldap1.example.com \
     --subject-alternative-name-dns ldap2.example.com \
     --subject-alternative-name-ip-address 1.2.3.4 \
     --subject-alternative-name-ip-address 1.2.3.5 \
     --extended-key-usage server-auth --extended-key-usage client-auth \
     --display-keytool-command

Generates a self-signed certification authority certificate with an alias of 'ca-cert', a subject DN of 'CN=Example Certification Authority,O=Example Corp,C=US', a 256-bit elliptic curve key, a signature algorithm of SHA256withECDSA, a basic constraints extension that indicates the certificate is a certification authority, and a key usage extension with the key-cert-sign and crl-sign values. The certificate will have a validity of 7300 days, starting at midnight on January 1, 2017 in the local time zone.

manage-certificates generate-self-signed-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias ca-cert \
     --subject-dn "CN=Example Certification Authority,O=Example Corp,C=US" \
     --days-valid 7300 --validity-start-time 20170101000000 --key-algorithm EC \
     --key-size-bits 256 --signature-algorithm SHA256withECDSA \
     --basic-constraints-is-ca true --key-usage key-cert-sign \
     --key-usage crl-sign --display-keytool-command

generate-self-signed-certificate Arguments

--keystore {path}

Description	The path to the key store file in which the self-signed certificate will be created. This is required, but if the file does not exist, then it will be created.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. If the key store does not exist, then it will be created with this password. A key store password is required when generating certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.

--private-key-password {password}

Description	The password (also called a passphrase or PIN) to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

--keystore-type {type}

Description	The key store type for the key store to create. This argument should only be provided when creating a new key store, and it will be ignored if the key store already exists. The value must be either 'JKS' for the non-standard Java Key Store format, or 'PKCS12' for the standard PKCS #12 format. If this is not provided, then a default key store type of 'JKS' will be used for newly-created key stores.
Required	No
Multi-Valued	No

--alias {alias}

Description	The alias (also called a nickname) to use for the newly-generated certificate. If the --replace-existing-certificate argument is provided, then this must be the alias of the private key for which to replace the certificate chain with the self-signed certificate. If the --replace-existing-certificate argument is not provided, then the alias must not already exist in the key store.
Required	Yes
Multi-Valued	No

--replace-existing-certificate

Description

Indicates that the new self-signed certificate should replace the certificate chain associated with an existing private key that is identified by the --alias argument, reusing the existing key pair. If this argument is not provided, then a new key pair will be generated.

--subject-dn {dn}

Description	The subject DN for the new certificate. This must be provided unless then --replace-existing-certificate argument is given. If the --replace-existing-certificate argument is provided, then the --subject-dn argument may be omitted if you want to reuse the same subject as the existing certificate. A subject DN typically includes at least a 'CN' attribute (which in a server certificate should be the hostname that clients are expected to use when connecting to the server, and in other certificates indicates the purpose of that certificate), and may also include additional attributes like 'OU' (the associated department or organizational unit name), 'O' (the company or organization name), 'L' (the city or locality name), 'ST' (the full name -- NOT the two-letter abbreviation -- of the state or province), 'C' (the two-letter country code -- NOT the full country name). For example: 'CN=ldap.example.com,OU=Directory Services,O=Example Corporation,L=Austin,ST=Texas,C=US'.
Required	No
Multi-Valued	No

--days-valid {value}

Description	The number of days that the certificate should be considered valid. If this argument is not provided, then a default value of 365 days will be used.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--validity-start-time {YYYYMMDDhhmmss}

Description	The time that the certificate's validity window should start (that is, the 'notBefore' value). If this is not provided, then the current time will be used. If a value is given, it should be in the form 'YYYYMMDDhhmmss' (for example, '20180102123456'). Timestamp values are assumed to be in the local time zone.
Required	No
Multi-Valued	No

--key-algorithm {name}

Description	The name of the key algorithm to use to generate the key pair. If present, the value will typically be 'RSA' or 'EC' (for elliptic curve). This argument must not be provided if the --replace-existing-certificate argument is used. If neither this argument nor the --replace-existing-certificate argument is provided, then a default key algorithm of 'RSA' will be used.
Required	No
Multi-Valued	No

--key-size-bits {bits}

Description	The size of the key to generate, in bits. This argument must not be provided if the --replace-existing-certificate argument is used. This argument must be provided if the --key-algorithm argument is used to specify an algorithm other than 'RSA'. If neither this argument nor the --replace-existing-certificate argument is provided, then a default key size of 2048 bits will be used.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--signature-algorithm {name}

Description	The name of the algorithm to use to sign the certificate. This argument must not be provided if the --replace-existing-certificate argument is used. This argument must be provided if the --key-algorithm argument is used to specify an algorithm other than 'RSA'. If neither this argument nor the --replace-existing-certificate argument is provided, then a default signature algorithm of 'SHA256withRSA' will be used.
Required	No
Multi-Valued	No

--inherit-extensions

Description

This argument can only be used in conjunction with the --replace-existing-certificate argument, and it indicates that the new certificate should inherit all of the same extension values as the certificate being replaced (although extensions known to apply to the certificate's issuer, like authority key identifier and issuer alternative name, may be excluded). If the --replace-existing-certificate argument is provided without the --inherit-extensions argument, then the new certificate will only have the extensions that are explicitly specified using other arguments.

--subject-alternative-name-dns {name}

Description	Indicates that the certificate should include a subject alternative name extension with the specified DNS hostname. This can be used to help clients trust a server certificate if they connect to the server using a different hostname than is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple alternate hostnames, and hostnames can have an asterisk as their leftmost component (for example, '.example.com' or '.east.example.com') to match any value in that component. Each value must contain only ASCII characters, so internationalized domain names must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-ip-address {name}

Description	Indicates that the certificate should include a subject alternative name extension with the specified IP address. This can be used to help clients trust a server certificate if they connect to the server using an IP address rather than the hostname that is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple IP addresses, and each value must be a valid IPv4 or IPv6 address. There is no support for wildcards, CIDR, other mechanisms for specifying a range of addresses.
Required	No
Multi-Valued	Yes

--subject-alternative-name-email-address {name}

Description	Indicates that the certificate should include a subject alternative name extension with the specified email address (technically, RFC 822 name) value. This can be provided multiple times to specify multiple email addresses. Each value must contain only ASCII characters, so internationalized email addresses must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-uri {uri}

Description	Indicates that the certificate should include a subject alternative name extension with the specified URI value. This can be provided multiple times to specify multiple URIs. Each value must contain only ASCII characters, so internationalized resource identifiers must be mapped to URIs as described in RFC 3987.
Required	No
Multi-Valued	Yes

--subject-alternative-name-oid {oid}

Description	Indicates that the certificate should include a subject alternative name extension with the specified OID as a resource identifier. This can be provided multiple times to specify multiple OIDs, and each value must be the string representation of a valid object identifier.
Required	No
Multi-Valued	Yes

--basic-constraints-is-ca {true|false}

Description	Indicates that the certificate should include a basic constraints extension that indicates whether the certificate should be considered a certification authority. If present, the value must be either 'true' or 'false'.
Required	No
Multi-Valued	No

--basic-constraints-maximum-path-length {value}

Description	Indicates that the certificate should include a basic constraints extension that specifies that there must not be more than the specified number of intermediate certificates between that issuer certificate and the subject certificate in a certificate chain. This argument can only be provided in conjunction with a --basic-constraints-is-ca value of 'true'.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--key-usage {value}

Description	Indicates that the certificate should include a key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'digital-signature', 'non-repudiation', 'key-encipherment', 'data-encipherment', 'key-agreement', 'key-cert-sign', 'crl-sign', 'encipher-only', and 'decipher-only'. This argument can be provided multiple times to specify multiple key usage values.
Required	No
Multi-Valued	Yes

--extended-key-usage {value}

Description	Indicates that the certificate should include an extended key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'server-auth', 'client-auth', 'code-signing', 'email-protection', 'time-stamping', and 'ocsp-signing', or the string representation of any valid object identifier. This argument can be provided multiple times to specify multiple extended key usage values.
Required	No
Multi-Valued	Yes

--extension {value}

Description	Indicates that the certificate should include an extension with the specified content. The value must be in the form oid:criticality:value, where oid is the OID that identifies the type of extension, criticality is a value of either 'true' or 'false', and value is the hexadecimal representation of the extension value (for example, --ext 2.5.29.19:true:30030101ff).
Required	No
Multi-Valued	Yes

--display-keytool-command

Description

Imports a certificate or certificate chain, and optionally a private key, into a key store.

import-certificate Examples

Import the certificates in the 'server-cert.crt' file into the specified key store using an alias of 'server-cert'.

manage-certificates import-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --certificate-file server-cert.crt

Import a certificate chain, including a private key, from the set of provided files into the specified key store using an alias of 'server-cert'.

manage-certificates import-certificate --keystore config/keystore \
     --keystore-password-file config/keystore.pin --alias server-cert \
     --certificate-file server-cert.crt \
     --certificate-file server-cert-issuer.crt \
     --private-key-file server-cert.key --display-keytool-command

import-certificate Arguments

--keystore {path}

Description	The path to the key store file into which the certificates and key should be imported. This is required, but if the file does not exist, then it will be created.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when importing certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when importing certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. If the key store does not exist, then it will be created with this password. A key store password is required when importing certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.

--keystore-type {type}

Description	The key store type for the key store to create. This argument should only be provided when creating a new key store, and it will be ignored if the key store already exists. The value must be either 'JKS' for the non-standard Java Key Store format, or 'PKCS12' for the standard PKCS #12 format. If this is not provided, then a default key store type of 'JKS' will be used for newly-created key stores.
Required	No
Multi-Valued	No

--alias {alias}

Description	The alias (also called a nickname) to use for the imported certificate. If multiple certificates are to be imported, then the behavior depends on whether a private key will also be imported. When importing a certificate chain along with a private key, then the alias must not already exist in the key store, and the private key and the entire certificate chain will be stored under this alias. When importing a certificate for which the corresponding private key already exists in the key store (for example, if you used the generate-certificate-request subcommand to create a certificate signing request and are now importing the signed certificate), then you should use the same alias that is used for the existing private key, and you should provide the complete certificate chain. When importing a certificate for which the corresponding private key does not already exist in the key store and for which the private key is not being provided by the --private-key-file argument, then the alias must not already exist in the key store, and any provided issuer certificates (which you should provide if they do not already exist in the key store and are not in the JVM's default set of trusted issuer certificates) will be imported with aliases that are generated from the provided alias. If there is only one issuer certificate to be imported, then it will be stored with an alias that is the provided alias with '-issuer' appended onto it. If there are multiple issuer certificates to be imported, then their aliases will be the provided alias with '-issuer-#' appended onto it, where '#' will be '1' for the first issuer certificate, '2' for the second, and so on. This is a required argument.
Required	Yes
Multi-Valued	No

--certificate-file {path}

Description	The path to a file containing a certificate or certificate chain to import. The certificates in the file may be stored either in the text-based PEM or the binary DER format, but if the file contains multiple certificates, then they must all be in the same format. You may also provide this argument multiple times to specify multiple files containing certificates to import. However, if multiple certificates are provided, then they must all form a certificate chain in which each subsequent certificate is the issuer certificate for the previous certificate. When importing a non-self-signed certificate, you should ensure that its issuer certificate is also being imported, is already in the key store under a different alias, or is in the JVM's default set of trusted certificates. At least one certificate file is required.
Required	Yes
Multi-Valued	Yes

--private-key-file {path}

Description	The path to a file containing the private key for the end certificate in the chain to be imported. It may be stored in either the text-based PEM or the binary DER format. This is an optional argument, and at most one private key file may be specified, and that file may contain only a single private key.
Required	No
Multi-Valued	No

--private-key-password {password}

Description	The password (also called a passphrase or PIN) to use to protect the private key. This is only needed when importing a private key along with a certificate chain, or when importing a certificate chain into an alias with an existing private key. In many cases, the private key password will be the same as the key store password and in such instances, the private key password can be omitted and the the key store password will be used as the private key password. However, if you are importing a private key and wish to protect it with a password that does not match the key store password, or if you are importing a new certificate chain for an existing private key that uses a password that does not match the key store password, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be provided.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password to use to protect the private key. This is only needed when importing a private key along with a certificate chain, or when importing a certificate chain into an alias with an existing private key. In many cases, the private key password will be the same as the key store password and in such instances, the private key password can be omitted and the the key store password will be used as the private key password. However, if you are importing a private key and wish to protect it with a password that does not match the key store password, or if you are importing a new certificate chain for an existing private key that uses a password that does not match the key store password, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be provided. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

Interactively prompt for the password to use to protect the private key. This is only needed when importing a private key along with a certificate chain, or when importing a certificate chain into an alias with an existing private key. In many cases, the private key password will be the same as the key store password and in such instances, the private key password can be omitted and the the key store password will be used as the private key password. However, if you are importing a private key and wish to protect it with a password that does not match the key store password, or if you are importing a new certificate chain for an existing private key that uses a password that does not match the key store password, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be provided.

--no-prompt

Description

Import the certificates without prompting the end user. By default, the certificates will be displayed and the user will be interactively prompted about whether to import them.

--display-keytool-command

Description

list-certificates Examples

Display basic information about all of the certificates in the 'config/keystore' key store file.

manage-certificates list-certificates --keystore config/keystore

Display verbose information about the 'server-cert' certificate in the 'config/keystore.p12' key store file, whose contents are protected by a password contained in the 'config/keystore.pin' file. It will also display a command that can be used to accomplish a similar result using the Java keytool utility, along with a PEM-encoded representation of the certificate.

manage-certificates list-certificates --keystore config/keystore.p12 \
     --keystore-password-file config/keystore.pin --alias server-cert --verbose \
     --display-pem-certificate --display-keytool-command

Display basic information about all of the certificates in the JVM's default trust store file.

manage-certificates list-certificates --use-jvm-default-trust-store

list-certificates Arguments

--keystore {path}

Description	The path to the key store file containing the certificates to list. Either this argument or the --useJVMDefaultTrustStore argument must be provided, and if this argument is given, then the specified file must exist.
Required	No
Multi-Valued	No

--use-jvm-default-trust-store

Description

List certificates from the JVM-default trust store (/usr/java/oracle/jdk1.8.0_181/jre/lib/security/cacerts).

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. A key store password is optional for some key store types, but may be required for others.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The path to a file containing the password needed to access the contents of the key store. A key store password is optional for some key store types, but may be required for others. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. A key store password is optional for some key store types, but may be required for others.

--alias {alias}

Description	The alias (also called a nickname) of a certificate to include in the output. This argument may be provided multiple times to identify multiple certificates to include. If this argument is provided, then only the listed certificates will be displayed. If this argument is omitted, then all certificates will be listed.
Required	No
Multi-Valued	Yes

--display-pem-certificate

Description

Include a PEM-encoded representation of each certificate in the output.

--verbose

Description

Display verbose information about each of the certificates. If this argument is not provided, then the listing will only include basic summary information for each certificate, including its subject and issuer DNs, validity start and end times, and fingerprints. If this argument is provided, then additional information, including the X.509 certificate version, serial number, signature algorithm and value, public key algorithm and content, and extensions, will also be included.

--display-keytool-command

Description

Signs a certificate signing request (CSR) provided in a specified input file using a certificate contained in a specified key store. The signed certificate may be written to either standard output or to a specified file.

sign-certificate-signing-request Examples

Signs the certificate signing request contained in file 'server-cert.csr' using the 'ca-cert' certificate contained in the 'config/keystore' key store. The subject DN, signature algorithm, and extensions from the provided certificate signing request will be used to generate the corresponding values in the signed certificate, and the certificate will be valid for 365 days, starting immediately. The signed certificate will be written to standard output in PEM format.

manage-certificates sign-certificate-signing-request \
     --request-input-file server-cert.csr --keystore config/keystore \
     --keystore-password-file config/keystore.pin \
     --signing-certificate-alias ca-cert --include-requested-extensions

Signs the certificate signing request contained in file 'server-cert.csr' using the 'ca-cert' certificate contained in the 'config/keystore' key store. The subject DN, signature algorithm, and extensions from the provided certificate signing request will be used to generate the corresponding values in the signed certificate, and the certificate will also include an issuer alternative name extension with an email address of 'ca@example.com'. The signed certificate will be valid for 730 days starting at midnight on January 1, 2017 in the local timezone. The signed certificate will be written to the file 'server-cert.der' file in the binary DER format.

manage-certificates sign-certificate-signing-request \
     --request-input-file server-cert.csr \
     --certificate-output-file server-cert.der --output-format DER \
     --keystore config/keystore --keystore-password-file config/keystore.pin \
     --signing-certificate-alias ca-cert --days-valid 730 \
     --validity-start-time 20170101000000 --include-requested-extensions \
     --issuer-alternative-name-email-address 'ca@example.com'

sign-certificate-signing-request Arguments

--request-input-file {path}

Description	The path to the input file containing the certificate signing request to process. This must be provided, and the specified file must exist.
Required	Yes
Multi-Valued	No

--certificate-output-file {path}

Description	The path to the output file to which the signed certificate should be written. If this is not provided, then the certificate will be written to standard output.
Required	No
Multi-Valued	No

--output-format {format}

Description	The output format to use for the signed certificate. The value may be either 'PEM' (to write the certificate in the text-based PEM format), or 'DER' (to write the certificate in the binary DER format). If this is not provided, then the PEM output format will be used. If an output format of 'DER' is specified, then the --certificate-output-file argument must also be provided.
Default Value	PEM
Required	No
Multi-Valued	No

--keystore {path}

Description	The path to the key store file that contains the certificate that will be used to sign the requested certificate. This must be provided, and the specified file must exist.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store containing the signing certificate. A key store password is required when signing certificate requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store containing the signing certificate. A key store password is required when signing certificate requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

Interactively prompt for the key store password. A key store password is required when signing certificate requests, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided.

--private-key-password {password}

Description	The password (also called a passphrase or PIN) to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password.
Required	No
Multi-Valued	No

--private-key-password-file {path}

Description	The path to a file containing the password to use to protect the private key. Although in many cases, private keys will be protected with the same password as the key store itself, it is possible to use a different password for the private key. If an alternate private key password is needed, then one of the --private-key-password, --private-key-password-file, or --prompt-for-private-key-password arguments should be used to provide that private key password. If none of these arguments is given, then the key store password will be used as the private key password. If a private key password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text private key password.
Required	No
Multi-Valued	No

--prompt-for-private-key-password

Description

--signing-certificate-alias {alias}

Description	The alias (also called a nickname) of the certificate to use to sign the request. This alias must exist in the key store, and it must reference a private key with a certificate chain.
Required	Yes
Multi-Valued	No

--subject-dn {dn}

Description	The subject DN for the signed certificate. A subject DN typically includes at least a 'CN' attribute (which in a server certificate should be the hostname that clients are expected to use when connecting to the server, and in other certificates indicates the purpose of that certificate), and may also include additional attributes like 'OU' (the associated department or organizational unit name), 'O' (the company or organization name), 'L' (the city or locality name), 'ST' (the full name -- NOT the two-letter abbreviation -- of the state or province), 'C' (the two-letter country code -- NOT the full country name). For example: 'CN=ldap.example.com,OU=Directory Services,O=Example Corporation,L=Austin,ST=Texas,C=US'. This argument is optional, and if it is not provided, then the subject DN from the certificate signing request will be used.
Required	No
Multi-Valued	No

--days-valid {value}

Description	The number of days that the signed certificate should be considered valid. If this argument is not provided, then a default value of 365 days will be used.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--validity-start-time {YYYYMMDDhhmmss}

Description	The time that the signed certificate's validity window should start (that is, the 'notBefore' value). If this is not provided, then the current time will be used. If a value is given, it should be in the form 'YYYYMMDDhhmmss' (for example, '20180102123456'). Timestamp values are assumed to be in the local time zone.
Required	No
Multi-Valued	No

--signature-algorithm {name}

Description	The name of the algorithm to use to sign the certificate. If this is not provided, then the signature algorithm from the certificate signing request will be used.
Required	No
Multi-Valued	No

--include-requested-extensions

Description

Indicates that the signed certificate should include all of the extensions requested in the certificate signing request (although extensions known to apply to the certificate's issuer, like authority key identifier and issuer alternative name, may be excluded), and the requested extensions will be included in addition to any other extensions requested via command-line arguments. If this is not provided, then only the extensions requested via command-line arguments will be included in the signed certificate.

--subject-alternative-name-dns {name}

Description	Indicates that the signed certificate should include a subject alternative name extension with the specified DNS hostname. This can be used to help clients trust a server certificate if they connect to the server using a different hostname than is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple alternate hostnames, and hostnames can have an asterisk as their leftmost component (for example, '.example.com' or '.east.example.com') to match any value in that component. Each value must contain only ASCII characters, so internationalized domain names must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-ip-address {name}

Description	Indicates that the signed certificate should include a subject alternative name extension with the specified IP address. This can be used to help clients trust a server certificate if they connect to the server using an IP address rather than the hostname that is included in the CN attribute of the certificate subject. This can be provided multiple times to specify multiple IP addresses, and each value must be a valid IPv4 or IPv6 address. There is no support for wildcards, CIDR, other mechanisms for specifying a range of addresses.
Required	No
Multi-Valued	Yes

--subject-alternative-name-email-address {name}

Description	Indicates that the signed certificate should include a subject alternative name extension with the specified email address (technically, RFC 822 name) value. This can be provided multiple times to specify multiple email addresses. Each value must contain only ASCII characters, so internationalized email addresses must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--subject-alternative-name-uri {uri}

Description	Indicates that the signed certificate should include a subject alternative name extension with the specified URI value. This can be provided multiple times to specify multiple URIs. Each value must contain only ASCII characters, so internationalized resource identifiers must be mapped to URIs as described in RFC 3987.
Required	No
Multi-Valued	Yes

--subject-alternative-name-oid {oid}

Description	Indicates that the signed certificate should include a subject alternative name extension with the specified OID as a resource identifier. This can be provided multiple times to specify multiple OIDs, and each value must be the string representation of a valid object identifier.
Required	No
Multi-Valued	Yes

--issuer-alternative-name-dns {name}

Description	Indicates that the signed certificate should include an issuer alternative name extension with the specified DNS hostname. This can be provided multiple times to specify multiple alternate hostnames, and hostnames can have an asterisk as their leftmost component (for example, '.example.com' or '.east.example.com') to match any value in that component. Each value must contain only ASCII characters, so internationalized domain names must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--issuer-alternative-name-ip-address {name}

Description	Indicates that the signed certificate should include an issuer alternative name extension with the specified IP address. This can be provided multiple times to specify multiple IP addresses, and each value must be a valid IPv4 or IPv6 address. There is no support for wildcards, CIDR, other mechanisms for specifying a range of addresses.
Required	No
Multi-Valued	Yes

--issuer-alternative-name-email-address {name}

Description	Indicates that the signed certificate should include an issuer alternative name extension with the specified email address (technically, RFC 822 name) value. This can be provided multiple times to specify multiple email addresses. Each value must contain only ASCII characters, so internationalized email addresses must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
Required	No
Multi-Valued	Yes

--issuer-alternative-name-uri {uri}

Description	Indicates that the signed certificate should include an issuer alternative name extension with the specified URI value. This can be provided multiple times to specify multiple URIs. Each value must contain only ASCII characters, so internationalized resource identifiers must be mapped to URIs as described in RFC 3987.
Required	No
Multi-Valued	Yes

--issuer-alternative-name-oid {oid}

Description	Indicates that the signed certificate should include an issuer alternative name extension with the specified OID as a resource identifier. This can be provided multiple times to specify multiple OIDs, and each value must be the string representation of a valid object identifier.
Required	No
Multi-Valued	Yes

--basic-constraints-is-ca {true|false}

Description	Indicates that the signed certificate should include a basic constraints extension that indicates whether the certificate should be considered a certification authority. If present, the value must be either 'true' or 'false'.
Required	No
Multi-Valued	No

--basic-constraints-maximum-path-length {value}

Description	Indicates that the certificate should include a basic constraints extension that specifies that there must not be more than the specified number of intermediate certificates between that issuer certificate and the subject certificate in a certificate chain. This argument can only be provided in conjunction with a --basic-constraints-is-ca value of 'true'.
Upper Bound	2147483647
Required	No
Multi-Valued	No

--key-usage {value}

Description	Indicates that the signed certificate should include a key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'digital-signature', 'non-repudiation', 'key-encipherment', 'data-encipherment', 'key-agreement', 'key-cert-sign', 'crl-sign', 'encipher-only', and 'decipher-only'. This argument can be provided multiple times to specify multiple key usage values.
Required	No
Multi-Valued	Yes

--extended-key-usage {value}

Description	Indicates that the signed certificate should include an extended key usage extension that indicates that the certificate can be used for a specified purpose. Allowed values for this argument are 'server-auth', 'client-auth', 'code-signing', 'email-protection', 'time-stamping', and 'ocsp-signing', or the string representation of any valid object identifier. This argument can be provided multiple times to specify multiple extended key usage values.
Required	No
Multi-Valued	Yes

--extension {value}

Description	Indicates that the signed certificate should include an extension with the specified content. The value must be in the form oid:criticality:value, where oid is the OID that identifies the type of extension, criticality is a value of either 'true' or 'false', and value is the hexadecimal representation of the extension value (for example, --ext 2.5.29.19:true:30030101ff).
Required	No
Multi-Valued	Yes

--no-prompt

Description

Sign the request without prompting the end user. By default, the certificate signing request will be displayed and the user will be interactively prompted about whether to sign it.

--display-keytool-command

Description

Initiates a secure connection to a server to get that server's certificate chain, and then adds those certificates to a key store so that it can be used as a trust store for that server.

trust-server-certificate Examples

Establishes a secure connection to the server ds.example.com on port 636 and adds that server's certificate chain to the 'config/truststore' key store with a base alias of 'ds.example.com:636'. The tool will display verbose information about the certificate chain presented by the server, and will interactively prompt about whether to trust that chain.

manage-certificates trust-server-certificate --hostname ds.example.com \
     --port 636 --keystore config/truststore \
     --keystore-password-file config/truststore.pin --verbose

Establishes a non-secure connection to ds.example.com on port 389, and then uses the LDAP StartTLS extended operation to transition to a secure connection. It will then add the server's issuer certificates to the 'config/truststore' key store with a base alias of 'ds-start-tls-cert'. The tool will trust the certificate chain without any confirmation from the user.

manage-certificates trust-server-certificate --hostname ds.example.com \
     --port 389 --use-ldap-start-tls --keystore config/truststore \
     --keystore-password-file config/truststore.pin --issuers-only \
     --alias ds-start-tls-cert --no-prompt

trust-server-certificate Arguments

-h {host}
--hostname {host}

Description	The hostname or IP address of the server to which the connection should be established. This must be provided.
Required	Yes
Multi-Valued	No

-p {port}
--port {port}

Description	The TCP port number of the server to which the connection should be established. Unless the --use-ldap-start-tls argument is provided, the port number must be one on which the server expects to accept TLS-based connections. If the --use-ldap-start-tls argument is provided, then the specified port must be one on which an LDAP server is listening for non-secure connections but on which clients may use the StartTLS extended operation to transition to using secure communication. Standard secure port numbers include 636 for LDAPS and 443 for HTTPS, and the standard non-secure port for LDAP is 389. This must be provided.
Required	Yes
Multi-Valued	No

-q
--use-ldap-start-tls

Description

Indicates that the tool should initially establish a non-secure connection to an LDAP server, and then use the StartTLS extended operation to transition to using secure communication.

--keystore {path}

Description	The path to the key store file to which the certificates should be added. This is required, but if the file does not exist, then it will be created.
Required	Yes
Multi-Valued	No

--keystore-password {password}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when importing certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. The password must contain at least six characters.
Required	No
Multi-Valued	No

--keystore-password-file {path}

Description	The password (also called a passphrase or PIN) needed to access the contents of the key store. If the key store does not exist, then it will be created with this password. A key store password is required when importing certificates, so one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments must be provided. If a key store password file is supplied, then the file must exist, must contain only one line, and that line must consist only of the clear-text key store password. The password must contain at least six characters.
Required	No
Multi-Valued	No

--prompt-for-keystore-password

Description

--keystore-type {type}

Description	The key store type for the key store to create. This argument should only be provided when creating a new key store, and it will be ignored if the key store already exists. The value must be either 'JKS' for the non-standard Java Key Store format, or 'PKCS12' for the standard PKCS #12 format. If this is not provided, then a default key store type of 'JKS' will be used for newly-created key stores.
Required	No
Multi-Valued	No

--alias {alias}

Description	The alias (also called a nickname) to use for the first certificate to add to the key store. This alias must not already be in use in the key store. If multiple certificates are to be imported, then the first certificate imported will use this alias, and subsequent certificates will have either '-issuer' (if there is only one issuer certificate) or '-issuer-#' (if there are multiple issuers, where # will be replaced with an incrementing number for each subsequent issuer). If this is omitted, then a default alias will be constructed from the hostname and port number.
Required	No
Multi-Valued	No

--issuers-only

Description

Indicates that the tool should only update the key store to include the issuer certificates for the target server, but omit the server certificate at the head of the chain. This may be useful in environments in which all servers are signed by a common issuer and it is sufficient to trust just the issuer certificates. This argument will not have any effect for self-signed certificates in which a certificate is its own issuer.

--enableSSLDebugging

Description

Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.

--verbose

Description

Display verbose information about the certificates in the server's certificate chain.

--no-prompt

Description

Trust the server certificates without prompting the end user. By default, the server certificate chain will be displayed and the user will be interactively prompted about whether to trust the certificate.

Description	The path to the key store file for which to change the password. This is required, and the key store file must exist.
Required	Yes
Multi-Valued	No

Description	The current password for the key store. The current password is required, so one of the --current-keystore-password, --current-keystore-password-file, or --prompt-for-current-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

Description	The new password for the key store. The new password is required, so one of the --new-keystore-password, --new-keystore-password-file, or --prompt-for-new-keystore-password arguments must be provided.
Required	No
Multi-Valued	No

Description	The path to a file containing the certificates to be printed. The certificates may be formatted in either the text-based PEM format or the binary DER format. If the certificates are in PEM format, then each certificate must include the begin header and end footer, and blank lines and lines that start with the octothorpe character (#) will be ignored. If the certificates are in DER format, then there must not be any delimiter between the certificates.
Required	Yes
Multi-Valued	No

Description	The path to a properties file used to specify default values for arguments not supplied on the command line.
Required	No
Multi-Valued	No

Description	Write an empty properties file that may be used to specify default values for arguments.
Required	No
Multi-Valued	No

manage-certificates

Description

Examples

Subcommands

change-certificate-alias

change-certificate-alias Examples

change-certificate-alias Arguments

change-keystore-password

change-keystore-password Examples

change-keystore-password Arguments

change-private-key-password

change-private-key-password Examples

change-private-key-password Arguments

check-certificate-usability

check-certificate-usability Examples

check-certificate-usability Arguments

delete-certificate

delete-certificate Examples

delete-certificate Arguments

display-certificate-file

display-certificate-file Examples

display-certificate-file Arguments

display-certificate-signing-request-file

display-certificate-signing-request-file Examples

display-certificate-signing-request-file Arguments

export-certificate

export-certificate Examples

export-certificate Arguments

export-private-key

export-private-key Examples

export-private-key Arguments

generate-certificate-signing-request

generate-certificate-signing-request Examples

generate-certificate-signing-request Arguments

generate-self-signed-certificate

generate-self-signed-certificate Examples

generate-self-signed-certificate Arguments

import-certificate

import-certificate Examples

import-certificate Arguments

list-certificates

list-certificates Examples

list-certificates Arguments

sign-certificate-signing-request

sign-certificate-signing-request Examples

sign-certificate-signing-request Arguments

trust-server-certificate

trust-server-certificate Examples

trust-server-certificate Arguments

Arguments