Java Keytool Examples

Creating a Advanced Encryption Standard (AES) Key, Keystore and Certificate Signing Request (CSR) w/ JCEKS Keystore

Creating a Advanced Encryption Standard (AES) Key, Keystore and Certificate Signing Request (CSR)

AES is used for private (secret) key infrastructures (PKI) and signing. Cipher suites that use AES_256 might require installation of the JCE Unlimited Strength Jurisdiction Policy Files from Oracle
Optional -dname may be used for idenitfying the key

Creating a AES based Key, Keystore and Certificate Signing Request (CSR)

Create the AES Key and Keystore

 Copy  keytool -genseckey -alias serverkey -keyalg AES -keysize 256 -sigalg SHA512withRSA -keystore tomcat/conf/jceks.keystore -storetype jceks -validity 1460 -storepass changeit -dname "CN=server.whackywidget.com,OU=Enterprise IT,O=SuperDuper,L=Smallville,ST=CO,C=US" -ext san=dns:server.whackywidget.com

Check the AES Key and Keystore creation

 Copy keytool -list -v -keystore jceks.keystore -storetype jceks -storepass changeit

Create the AES Certificate Signing Request (CSR)

 Copy keytool -certreq -v -keyalg AES -alias serverkey -file tomcat/conf/server.csr -keypass changeit -keystore tomcat/conf/jceks.keystore -storetype jceks -storepass changeit -ext san=dns:server.whackywideget.com

Creating an AES 128 bit key and keystore

Here is how to create an AES 128 bit key with a JCEKS keystore.

 Copy keytool -genseckey -keyalg AES -alias aes128 -keysize 128 -keypass AESKey123 -keystore this.keystore -storetype jceks -storepass changeit

Check the AES 128 bit key and keystore creation

 Copy keytool -list -v -keystore this.keystore -storetype jceks -storepass changeit
AES128







Creating an AES 192 bit key and keystore

Here is how to create an AES 192 bit key with a JCEKS keystore.

 Copy keytool -genseckey -keyalg AES -alias aes192 -keysize 192 -keypass AESKey123 -keystore this.keystore -storetype jceks -storepass changeit

Check the AES 192 bit key and keystore creation

 Copy keytool -list -v -keystore this.keystore -storetype jceks -storepass changeit

Creating an AES 256 bit key and keystore

Here is how to create an AES 256 bit key with a JCEKS keystore.

 Copy keytool -genseckey -keyalg AES -alias aes256 -keysize 256 -keypass AESKey123 -sigalg SHA512withRSA -keystore that.keystore -storetype jceks -storepass changeit

Check the AES 256 bit key and keystore creation

 Copy keytool -list -v -keystore that.keystore -storetype jceks -storepass changeit
AES256
   NEXT