search cancel

Delete old Certificates from keytool

book

Article ID: 174921

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You have an old certificate in your Keystore that needs to be removed and you don't really know it's name.

Resolution

You will use the Keytool application and list all of the certificates in the Keystore. Open an Administrator command prompt.

C:> keytool -list -keystore .keystore

(If keytool does not run from the directory you are in you will need to fix your Environment variables for JAVA, since Keytool is a JAVA app. Or you can change to the directory keytool is located.)

You may also need to put the full path to your keystore if you are not in the directory of your keystore .

Below are the various arguments you can use:

-list
{-alias alias} {-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerName provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v | -rfc} {-protected} {-Jjavaoption}

Prints to stdout the contents of the keystore entry identified by alias. If no alias is specified, then the contents of the entire keystore are printed.

This command by default prints the SHA1 fingerprint of a certificate. If the -v option is specified, then the certificate is printed in human-readable format, with additional information such as the owner, issuer, serial number, and any extensions. If the -rfc option is specified, then the certificate contents are printed using the printable encoding format, as defined by the Internet RFC 1421 Certificate Encoding Standard.

You cannot specify both -v and -rfc.

 

Then use Keytool again to delete the Certificate you don't want in your Keystore. Open an Administrator command prompt.

C:> keytool -delete -alias aliasname -keystore .keystore

Where "aliasname" is what you learned from the list command above.

Below are the various arguments you can use:

-delete
[-alias alias] {-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerName provider_name}  
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}

Deletes from the keystore the entry identified by alias. The user is prompted for the alias, when no alias is provided at the command line.