The process is as follows:

1. Create the Keystore and generate a certificate, an example is shown below:

   keytool -genkey -alias client -keyalg RSA -keystore client.jks -keysize 2048
   shuvro-mac:test shuvrodas$keytool -genkey -alias client -keyalg RSA -keystore client.jks -keysize 2048
   Enter keystore password: 
   Re-enter new password:
   What is your first and last name?
   [Unknown]:Shuvro Das
   What is the name of your organizational unit?
   [Unknown]:GSS
   What is the name of your organization?
   [Unknown]:Pivotal
   What is the name of your City or Locality?
   [Unknown]:Pune
   What is the name of your State or Province?
   [Unknown]:Maharashtra
   What is the two-letter country code for this unit?
   [Unknown]:IN
   Is CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN correct?
   [no]:yes
   
   Enter key password for <client>
   (RETURN if same as keystore password): 
   Re-enter new password:
   shuvro-mac:test shuvrodas$
   

2. Create a certificate signing request (CSR) for an existing Java KeyStore:

   keytool -export -alias client -file client.cer -keystore client.jks
   shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.cer -keystore client.jks
   Enter keystore password:
   Certificate stored in file <client.cer>
   

3. Export a certificate from a Keystore:

   keytool -export -alias client -file client.crt -keystore client.jks
   shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.crt -keystore client.jks
   Enter keystore password: 
   Certificate stored in file <client.crt>
   

4. Import the certificate to the Truststore:

   keytool -import -v -trustcacerts -alias client -file client.cer/client.crt -keystore clienttrust.jks
   shuvro-mac:test shuvrodas$ keytool -export -alias client -file client.cer -keystore client.jks
   Enter keystore password:
   Certificate stored in file <client.cer>
   shuvro-mac:test shuvrodas$ keytool -import -v -trustcacerts -alias client -file client.cer -keystore clienttrust.jks
   Enter keystore password: 
   Re-enter new password:
   Owner: CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN
   Issuer: CN=Shuvro Das, OU=GSS, O=Pivotal, L=Pune, ST=Maharashtra, C=IN
   Serial number: 10c6b2dc
   Valid from: Fri Jul 29 11:00:02 IST 2016 until: Thu Oct 27 11:00:02 IST 2016
   Certificate fingerprints:
   MD5:A0:4F:EE:40:CC:AF:86:71:D9:AE:35:B1:8D:BB:56:F8
   SHA1: 47:16:54:20:D5:5D:66:BD:69:C0:4A:1F:67:AD:BF:44:58:3C:41:53
   SHA256: 47:B6:57:8C:C0:41:84:5B:05:0D:C4:C9:97:45:68:99:53:2A:1B:7A:2E:BA:F8:F8:96:49:09:F1:BC:57:66:F3
   Signature algorithm name: SHA256withRSA
   Version: 3<
   
   Extensions:
   
   #1: ObjectId: 2.5.29.14 Criticality=false
   SubjectKeyIdentifier [
   KeyIdentifier [
   0000: 90 12 BB 49 90 FD 85 97 A2 CF 9A 24 32 5C 6A 33...I.......$2\j3<
   0010: D5 6A C3 54 .j.T
   ]
   ]
   
   Trust this certificate? [no]:yes
   Certificate was added to keystore
   [Storing clienttrust.jks]
   shuvro-mac:test shuvrodas$
   

Java Keytool Commands for Checking

If you need to check the information within a certificate or Java Keystore, use these commands.

• Check a stand-alone certificate:

  keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java Keystore:

  keytool -list -v -keystore keystore.jks

• Check a particular Keystore entry using an alias:

  keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

• Delete a certificate from a Java Keytool Keystore:

  keytool -delete -alias mydomain -keystore keystore.jks

• Change a Java Keystore password:

  keytool -storepasswd -new new_storepass -keystore keystore.jks

• Export a certificate from a Keystore:

  keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

• List trusted CA Certs:

  keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

• Import new CA into trusted Certs:

  keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

• Creating the Truststore and Keystore
• The most common Java Keytool Keystore Commands