keytool is Java’s command-line utility for keystores, truststores, CSRs, and certificate import/export. It is not a separate download—it ships inside the Java Development Kit (JDK). On Ubuntu, OpenJDK packages install keytool under /usr/lib/jvm/.../bin/ and register /usr/bin/keytool through update-alternatives.
If your shell prints keytool: command not found, either Java is missing or your PATH does not include the JDK bin directory you expect. This guide covers every practical Ubuntu install path—default-jdk, version-specific openjdk-*-jdk, JAVA_HOME, verification, a quick keystore smoke test, update, and uninstall—with real command output from a live system.
Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic; amd64; OpenJDK 21.0.9 (
default-jdk); OpenJDK 17.0.17 JRE headless also present.
apt install keytool returns nothing useful. Install default-jdk or openjdk-<version>-jdk instead.
Prerequisites
- Ubuntu 22.04 LTS, 24.04 LTS, or newer (25.04 tested here) on amd64 or arm64.
- sudo for package installation.
- Outbound HTTPS to Ubuntu archives (and optionally Oracle or SDKMAN for advanced installs).
See check Ubuntu version if you are unsure which release you are on. For general Java programming setup, see install Java on Linux, Windows and MAC.
Understand what you are installing
| Component | What it provides | Includes keytool? |
|---|---|---|
default-jdk |
Ubuntu’s current default JDK branch + javac, jar, headers |
Yes |
openjdk-<N>-jdk |
Specific OpenJDK major version (11, 17, 21, 25, …) | Yes |
openjdk-<N>-jre-headless |
Runtime only (no javac) |
Yes on Ubuntu (binary in JRE bin/) |
openjdk-<N>-jre (full GUI JRE) |
Desktop Java runtime | Yes |
Many guides claim “you must install the JDK because JRE does not include keytool.” That was often true on older Oracle installers. On Ubuntu OpenJDK packages today, even openjdk-17-jre-headless ships /usr/lib/jvm/java-17-openjdk-amd64/bin/keytool. Still install a JDK when you also need javac, Maven, Gradle, or Tomcat builds—or when you want the default Ubuntu Java branch without guessing package names.
Choose an install method
| Method | Best for | Jump to |
|---|---|---|
default-jdk (apt) |
Most users—tracks Ubuntu’s supported default JDK | Method 1 |
Version-specific openjdk-*-jdk |
Projects pinned to Java 11, 17, 21, or 25 | Method 2 |
| JRE headless only | Minimal servers that only need java + keytool |
Method 3 |
| Oracle JDK tarball | Vendor builds, commercial support, non-apt layout | Method 4 |
| SDKMAN | Side-by-side JDK versions per user without apt | Method 5 |
For most Ubuntu workstations and servers, sudo apt install default-jdk is the right starting point.
Ubuntu release → default JDK branch
| Ubuntu release | default-jdk provides |
Typical JAVA_HOME symlink |
|---|---|---|
| 25.04 (Plucky) | OpenJDK 21 | /usr/lib/jvm/default-java → java-21-openjdk-amd64 |
| 24.04 (Noble) | OpenJDK 21 | same pattern |
| 22.04 (Jammy) | OpenJDK 11 | /usr/lib/jvm/default-java → java-11-openjdk-amd64 |
Run apt-cache policy default-jdk on your host to confirm the candidate before installing.
Method 1: Install keytool with default-jdk (recommended)
Refresh indexes and install the metapackage:
sudo apt update
apt-cache policy default-jdk
sudo apt install -y default-jdkOn Ubuntu 25.04:
default-jdk:
Candidate: 2:1.21-76
...
Setting up openjdk-21-jdk:amd64 (21.0.9+10-1~25.04) ...Verify Java and keytool:
java -version
javac -version
keytool -help
which keytoolopenjdk version "21.0.9" 2025-10-21
OpenJDK Runtime Environment (build 21.0.9+10-Ubuntu-125.04)
OpenJDK 64-Bit Server VM (build 21.0.9+10-Ubuntu-125.04, mixed mode, sharing)
javac 21.0.9
Key and Certificate Management Tool
Commands:
-certreq Generates a certificate request
-changealias Changes an entry's alias
...
/usr/bin/keytoolConfirm the symlink target:
readlink -f /usr/bin/keytool/usr/lib/jvm/java-21-openjdk-amd64/bin/keytoolMethod 2: Install a specific OpenJDK JDK version
Use this when Maven, Gradle, Kafka, or your employer standardizes on a fixed Java major version.
List available JDK packages:
apt list 'openjdk*-jdk' 2>/dev/null | grep -E '/'Install the version you need (examples):
# Java 17 LTS
sudo apt install -y openjdk-17-jdk
# Java 21 LTS (also Ubuntu 24.04/25.04 default)
sudo apt install -y openjdk-21-jdk
# Java 25 (current feature release on Ubuntu 25.04)
sudo apt install -y openjdk-25-jdkSwitch the system default when multiple JDKs are installed:
sudo update-alternatives --config java
sudo update-alternatives --config keytoolSample update-alternatives --display keytool output with Java 17 and 21 both installed:
keytool - auto mode
link best version is /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool
link currently points to /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool
/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool - priority 1711
/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool - priority 2111Higher priority wins in auto mode. Use --config when you need Java 17 keytool while Java 21 remains the default java.
Method 3: JRE headless only (when keytool is enough)
On a minimal node that only inspects or imports certificates:
sudo apt update
sudo apt install -y openjdk-17-jre-headless
keytool -help
dpkg -L openjdk-17-jre-headless | grep '/bin/keytool$'/usr/lib/jvm/java-17-openjdk-amd64/bin/keytoolThis works for keytool -list, -importcert, and -printcert, but you do not get javac. Prefer default-jdk unless you are deliberately minimizing packages.
Method 4: Oracle JDK tarball (advanced)
Download the Linux x64 JDK .tar.gz from Oracle Java downloads or use the vendor’s apt repository instructions. Typical layout after extracting to /opt:
sudo mkdir -p /opt/java
sudo tar -xf jdk-21_linux-x64_bin.tar.gz -C /opt/java
export JAVA_HOME=/opt/java/jdk-21
export PATH=$JAVA_HOME/bin:$PATH
keytool -helpRegister with update-alternatives if you want /usr/bin/keytool to point at Oracle:
sudo update-alternatives --install /usr/bin/keytool keytool $JAVA_HOME/bin/keytool 1You are responsible for security updates—Ubuntu’s unattended-upgrades will not patch /opt/java automatically.
Method 5: SDKMAN (side-by-side JDKs per user)
SDKMAN installs JDKs under ~/.sdkman/candidates/java/ without replacing apt packages—useful when one user needs Temurin 17 and another needs 21.
curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk list java
sdk install java 21.0.9-tem
sdk use java 21.0.9-tem
keytool -help
which keytool/home/user/.sdkman/candidates/java/current/bin/keytoolSDKMAN adjusts JAVA_HOME for that shell session. CI images and production servers usually stick to apt for reproducibility.
Set JAVA_HOME and PATH
Scripts and tools (Maven, Gradle, Tomcat, Spring Boot) expect JAVA_HOME to point at the JDK root, not the bin folder.
Session-only (Ubuntu default JDK)
export JAVA_HOME=/usr/lib/jvm/default-java
export PATH=$JAVA_HOME/bin:$PATH
echo "JAVA_HOME=$JAVA_HOME"
keytool -help | head -3JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
Key and Certificate Management ToolPersist for your user (~/.bashrc or ~/.profile):
cat >> ~/.bashrc <<'EOF'
export JAVA_HOME=/usr/lib/jvm/default-java
export PATH=$JAVA_HOME/bin:$PATH
EOF
source ~/.bashrcSystem-wide (/etc/environment—no export keyword):
grep -q '^JAVA_HOME=' /etc/environment || \
echo 'JAVA_HOME="/usr/lib/jvm/default-java"' | sudo tee -a /etc/environmentLog out and back in so GUI apps and cron jobs pick up the change.
Verify keytool is working
Command and package checks
command -v keytool
keytool -help 2>&1 | head -5
java -version
dpkg -l | grep -E 'default-jdk|openjdk-.*-jdk'Find every keytool binary (multiple JDKs)
find /usr/lib/jvm -name keytool -type f 2>/dev/null/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool
/usr/lib/jvm/java-21-openjdk-amd64/bin/keytoolUse this when CI reports a different keytool than your interactive shell.
Default truststore (cacerts) location
KEYTOOL=$(readlink -f "$(command -v keytool)")
JAVA_HOME=$(dirname "$(dirname "$KEYTOOL")")
ls -l "$JAVA_HOME/lib/security/cacerts"
keytool -list -cacerts -storepass changeit 2>&1 | head -5Keystore type: JKS
Keystore provider: SUN
Your keystore contains 113 entriesThe default password is changeit. You will import private CAs here for Java HTTPS clients—a topic covered in upcoming keytool truststore guides.
Quick smoke test: create a PKCS12 keystore
Prove keytool can write a keystore (safe to run in /tmp):
cd /tmp
rm -f kt-smoke.p12
keytool -genkeypair -alias smoke -keyalg RSA -keysize 2048 -validity 30 \
-storetype PKCS12 -keystore kt-smoke.p12 -storepass changeit \
-dname "CN=localhost" -noprompt
keytool -list -keystore kt-smoke.p12 -storepass changeit
rm -f kt-smoke.p12Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 30 days
for: CN=localhost
Keystore type: PKCS12
...
smoke, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 79:44:CD:6F:...A PrivateKeyEntry confirms the install is functional—not merely a command not found fix.
Keep keytool updated
keytool does not update separately. It tracks your OpenJDK package.
Default JDK metapackage
sudo apt update
sudo apt upgrade -y default-jdk default-jre
java -version
keytool -help 2>&1 | head -1Version-specific package
sudo apt upgrade -y openjdk-21-jdkAfter upgrades with multiple JDKs installed, re-check alternatives:
update-alternatives --display keytool | head -6Uninstall keytool / remove Java
Removing the JDK (or JRE) package removes keytool when no other Java package provides it.
Remove default JDK
sudo apt purge -y default-jdk default-jdk-headless
sudo apt autoremove -y
command -v keytool || echo "keytool removed"Remove one version-specific JDK
sudo apt purge -y openjdk-21-jdk openjdk-21-jdk-headless
sudo apt autoremove -yRemove JRE-only install
sudo apt purge -y openjdk-17-jre-headless
sudo apt autoremove -yIf openjdk-17-jre-headless and openjdk-21-jdk are both installed, purging only the JRE may leave keytool from Java 21. Check with which keytool after every purge.
For broader cleanup, see guide to removing software on Ubuntu.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
keytool: command not found |
No Java package installed | sudo apt install -y default-jdk |
java works but keytool missing |
Non-OpenJDK minimal runtime, custom Docker image, or broken alternatives | Install openjdk-*-jdk or openjdk-*-jre-headless; run sudo update-alternatives --config keytool |
Wrong keytool version / different from java |
Multiple JDKs; PATH bypasses alternatives | readlink -f $(which keytool) and readlink -f $(which java); align with update-alternatives |
JAVA_HOME set but keytool not found |
JAVA_HOME points at JRE root without bin/keytool |
export JAVA_HOME=/usr/lib/jvm/default-java; ensure $JAVA_HOME/bin/keytool exists |
keytool not found in cron or systemd service |
Non-login shell lacks PATH | Set Environment=JAVA_HOME=... in the unit file or use full path in scripts |
keytool not found in Docker |
Slim JRE image without JDK tools | Install default-jdk in the Dockerfile or copy a known PKCS12 keystore |
| Android Studio / CI uses different Java | IDE bundles its own JDK | Point IDE to /usr/lib/jvm/default-java or use the embedded JDK’s bin/keytool |
apt install keytool finds nothing |
keytool is not a standalone package | Install default-jdk or openjdk-*-jdk |
Diagnose “command not found” step by step
java -version 2>&1
command -v keytool || echo "keytool missing"
ls /usr/lib/jvm/*/bin/keytool 2>/dev/null
echo "JAVA_HOME=${JAVA_HOME:-unset}"
echo "PATH=$PATH"If java fails but you expected Java installed, install default-jdk first. If java works but keytool is missing, inspect /usr/lib/jvm/*/bin/keytool and fix update-alternatives or PATH.
keytool vs OpenSSL
| Task | Tool |
|---|---|
| Inspect a remote HTTPS certificate | OpenSSL (openssl s_client) |
| Create PEM keys/certs, CSRs, local CA | OpenSSL |
| Manage Java keystore / truststore (JKS, PKCS12) | keytool |
Import CA into Java cacerts |
keytool |
| Convert PEM key + cert → PKCS12 for Java | OpenSSL, then keytool or use the .p12 directly |
See the OpenSSL cheat sheet and generate self-signed certificate with OpenSSL for the OpenSSL side. Upcoming keytool guides will cover importing those materials into Java keystores.
References
- keytool — Java Documentation
- OpenJDK — Ubuntu packages
- On-site: keytool command cheat sheet, install Java on Linux, install OpenSSL on Ubuntu, OpenSSL cheat sheet
Summary
keytool is included with OpenJDK on Ubuntu—install default-jdk (or a version-specific openjdk-*-jdk) rather than searching for a keytool package. Verify with keytool -help, set JAVA_HOME=/usr/lib/jvm/default-java, and use update-alternatives --config keytool when multiple JDKs are present. Run the PKCS12 smoke test to confirm PrivateKeyEntry creation, upgrade through apt upgrade, and apt purge the JDK when you want keytool removed.
Next: build keystores and truststores in the keytool command cheat sheet and upcoming TLS guides in this series.

