Common Java KeyTool Commands

Java Keytool Commands for Creating and Importing

The commands below allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair
    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
  • Generate a certificate signing request (CSR) for an existing Java keystore
    keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  • Import a root or intermediate CA certificate to an existing Java keystore
    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
  • Import a signed primary certificate to an existing Java keystore
    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
  • Generate a keystore and self-signed certificate
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

Use these commands to check the information within a certificate or Java keystore.

  • Check a stand-alone certificate
    keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore
    keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias
    keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

  • Delete a certificate from a Java Keytool keystore
    keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password
    keytool -storepasswd -new new_storepass -keystore keystore.jks
  • Export a certificate from a keystore
    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs
    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs
    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

2 Ways To Prevent Java Crapware: Ask Toolbar

How-To-Geek has a great article on how to prevent the Java installer from installing the Ask Toolbar and other crapware.

Below are the 2 methods:

  1. Using the Java Control Panel: This method is only available if you already have java installed and want to avoid accidentally installing its crapware when you update it.
    1. Press the [Windows] key
    2. type “java”
    3. Click “Configure Java”
    4. At the bottom of the “Advanced” tab, put a check in the “Suppress sponsor offers when installing or updating Java” option.
  2. Use the registry to set the option even before Java is installed.
    1. Open notepad
    2. Paste the following into a new document
       Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft] "SPONSORS"="DISABLE" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft] "SPONSORS"="DISABLE" 
    3. Save the document with a .reg extension
    4. Double-Click the new file

Allow Firefox & Chrome To Access Restricted Ports

When separating WebLogic E1 JAS instances we usually end up using odd port numbers. Sometimes, we use ports that have been put on a restricted list by both Firefox and Chrome.

Below is a list of the ports that are blocked and the service that is the reason for it being blocked:

1 – tcpmux 7 – echo 9 – discard 11 – systat
13 – daytime 15 – netstat 17 – qotd 19 – chargen
20 – ftp data 21 – ftp control 22 – ssh 23 – telnet
25 – smtp 37 – time 42 – name 43 – nicname
53 – domain 77 – priv-rjs 79 – finger 87 – ttylink
95 – supdup 101 – hostriame 102 – iso-tsap 103 – gppitnp
104 – acr-nema 109 – POP2 110 – POP3 111 – sunrpc
113 – auth 115 – sftp 117 – uucp-path 119 – NNTP
123 – NTP 135 – loc-srv / epmap 139 – netbios 143 – IMAP2
179 – BGP 389 – LDAP 465 – SMTP+SSL 512 – print / exec
513 – login 514 – shell 515 – printer 526 – tempo
530 – courier 531 – chat 532 – netnews 540 – uucp
556 – remotefs 563 – NNTP+SSL 587 – submission 601 – syslog
636 – LDAP+SSL 993 – IMAP+SSL 995 – POP3+SSL 2049 – nfs
4045 – lockd 6000 – X11    

For more detail about this you can visit Mozilla’s website.

We ended up using ports 81-89. As you can see in the table above, port 87 is listed because of a service called “ttylink“. Below are the steps that you can take to “whitelist” any port you want. However, I would recommend not using the list of restricted ports. It is much easier than going through these steps with all of your users or maintaining a Windows Group PolicyWindows Group Policy.


  1. Type the following URL into Firefox: about:config
  2. Create a string setting called:
  3. Give your new setting a value of “87”. You can also include a comma separated list, a range or a combination of both: 87, 150-300, 350, 400, 450-500


  1. Modify your shortcut to Chrome by changing the “Target” field to look something like:
    “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

IBM WebSphere: The Password To The PLUGIN-KEY.KDB File Expires On April 26, 2012

If you are using IBM WebSphere, this is very important.

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. This file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.

According to the documentation, this should only effect those systems that are setup to use SSL.

After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted.

NOTE: The default password for the plugin-key.kdb file is WebAS.

IBM Flash Alert: Password to the plugin-key.kdb file expires on April 26, 2012 US EDT

Demo Of Oracle JDEdwards EnterpriseOne Tools Release 9.1 User Interface Improvements

Oracle has significantly improved its EnterpriseOne user interface with their tools release version 9.1 The new user interface does not only look better but offers many new productivity features. Steltix has created a YouTube video and an on-line hands-on experience demo:

Steltix Video is at:

Steltix Public on-line demo is at:
user: demo
password: demo