Useful OpenSSL & Keytool commands.

  1. Create a CSR (Certificate Signing Request). Tip: In windows use git bash to run the openssl commands.
openssl req -out myapp.csr -new -newkey rsa:2048 -nodes -keyout myapp.key

Send the csr to a Certificate Authority (CA) to get a signed cert. Keep myapp.key in a safe place. Once we get a signed certificate import it along with the key into a keystore.

  1. Export myapp.crt received from the Certificate Authority into a p12 keystore. Tip: Using winpty before openssl will avoid openssl hung issues in windows.
winpty openssl pkcs12 -export -in myapp.crt -inkey myapp.key -name -out myapp.p12
  1. If you want to add another certificate / private key entry from another keystore into this p12 keystore use the below keytool command.
keytool -importkeystore -deststorepass mypassword -destkeystore myapp.p12 -srckeystore anotherapp.p12 -srcstoretype PKCS12

After this command, myapp.p12 will contain 2 privatekey entries ( &

Note: For the above myapp.p12 to work properly the key password and store password of anotherapp.p12 should be same as the key/store password for myapp.p12. Otherwise we would see the below errors while using the keystore (with multiple private key entries / certificates).

Errors: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

(or) Cannot recover key

  1. Command to change store password and key password.
keytool -storepasswd -new mypassword -keystore anotherapp.p12 -storepass oldpassword 
keytool -keypasswd -alias -keypass oldpassword -new mypassword -keystore anotherapp.p12 -storepass mypassword
  1. Command to list and view the certificates / entries in a p12 keystore.
keytool -v -list -storetype pkcs12 -keystore myapp.p12
  1. Command to change a p12 keystore to a JKS keystore (if needed)
 keytool -importkeystore -deststorepass mypassword -destkeystore myapp.jks -srckeystore myapp.p12 -srcstoretype PKCS12 
  1. To be able to view the password in keytool commands while you are typing use git bash in windows. In command prompt the password will not be visible.
$ keytool -importkeystore -deststorepass mypassword -destkeystore myapp.jks -srckeystore myapp.p12 -srcstoretype PKCS12
Importing keystore myapp.p12 to myapp.jks…
Enter source keystore password: 7&$$Lpwd
  1. Command to verify the key password.
$ keytool -keypasswd -keystore myapp.pkcs12 -alias
Enter keystore password: mykeystorepwd

//If the key password and keystore password are same, you will get a prompt for new password like below.

New key password for <>: mynewkeypassword

//If the key password and keystore password are NOT same, you will get a prompt to Enter key password.

Enter key password for <>mydiffkeypassword

Leave a Reply

%d bloggers like this: