How to Install keytool on Ubuntu

Fix keytool command not found on Ubuntu by installing OpenJDK (default-jdk or openjdk-21-jdk), set JAVA_HOME and PATH, verify with keytool -help, run a PKCS12 smoke test, update through apt, and uninstall cleanly.

Published

Updated

Read time 9 min read

Reviewed byDeepak Prasad

Install keytool on Ubuntu banner with Java keystore vault and terminal keytool command

keytool is Java’s command-line utility for keystores, truststores, CSRs, and certificate import/export. It is not a separate download—it ships inside the Java Development Kit (JDK). On Ubuntu, OpenJDK packages install keytool under /usr/lib/jvm/.../bin/ and register /usr/bin/keytool through update-alternatives.

If your shell prints keytool: command not found, either Java is missing or your PATH does not include the JDK bin directory you expect. This guide covers every practical Ubuntu install path—default-jdk, version-specific openjdk-*-jdk, JAVA_HOME, verification, a quick keystore smoke test, update, and uninstall—with real command output from a live system.

Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic; amd64; OpenJDK 21.0.9 (default-jdk); OpenJDK 17.0.17 JRE headless also present.

NOTE
keytool is not an apt package name. Searching apt install keytool returns nothing useful. Install default-jdk or openjdk-<version>-jdk instead.

Prerequisites

  • Ubuntu 22.04 LTS, 24.04 LTS, or newer (25.04 tested here) on amd64 or arm64.
  • sudo for package installation.
  • Outbound HTTPS to Ubuntu archives (and optionally Oracle or SDKMAN for advanced installs).

See check Ubuntu version if you are unsure which release you are on. For general Java programming setup, see install Java on Linux, Windows and MAC.


Understand what you are installing

Component What it provides Includes keytool?
default-jdk Ubuntu’s current default JDK branch + javac, jar, headers Yes
openjdk-<N>-jdk Specific OpenJDK major version (11, 17, 21, 25, …) Yes
openjdk-<N>-jre-headless Runtime only (no javac) Yes on Ubuntu (binary in JRE bin/)
openjdk-<N>-jre (full GUI JRE) Desktop Java runtime Yes

Many guides claim “you must install the JDK because JRE does not include keytool.” That was often true on older Oracle installers. On Ubuntu OpenJDK packages today, even openjdk-17-jre-headless ships /usr/lib/jvm/java-17-openjdk-amd64/bin/keytool. Still install a JDK when you also need javac, Maven, Gradle, or Tomcat builds—or when you want the default Ubuntu Java branch without guessing package names.


Choose an install method

Method Best for Jump to
default-jdk (apt) Most users—tracks Ubuntu’s supported default JDK Method 1
Version-specific openjdk-*-jdk Projects pinned to Java 11, 17, 21, or 25 Method 2
JRE headless only Minimal servers that only need java + keytool Method 3
Oracle JDK tarball Vendor builds, commercial support, non-apt layout Method 4
SDKMAN Side-by-side JDK versions per user without apt Method 5

For most Ubuntu workstations and servers, sudo apt install default-jdk is the right starting point.

Ubuntu release → default JDK branch

Ubuntu release default-jdk provides Typical JAVA_HOME symlink
25.04 (Plucky) OpenJDK 21 /usr/lib/jvm/default-javajava-21-openjdk-amd64
24.04 (Noble) OpenJDK 21 same pattern
22.04 (Jammy) OpenJDK 11 /usr/lib/jvm/default-javajava-11-openjdk-amd64

Run apt-cache policy default-jdk on your host to confirm the candidate before installing.


Refresh indexes and install the metapackage:

bash
sudo apt update
apt-cache policy default-jdk
sudo apt install -y default-jdk

On Ubuntu 25.04:

text
default-jdk:
  Candidate: 2:1.21-76
...
Setting up openjdk-21-jdk:amd64 (21.0.9+10-1~25.04) ...

Verify Java and keytool:

bash
java -version
javac -version
keytool -help
which keytool
text
openjdk version "21.0.9" 2025-10-21
OpenJDK Runtime Environment (build 21.0.9+10-Ubuntu-125.04)
OpenJDK 64-Bit Server VM (build 21.0.9+10-Ubuntu-125.04, mixed mode, sharing)

javac 21.0.9

Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 ...

/usr/bin/keytool

Confirm the symlink target:

bash
readlink -f /usr/bin/keytool
text
/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool

Method 2: Install a specific OpenJDK JDK version

Use this when Maven, Gradle, Kafka, or your employer standardizes on a fixed Java major version.

List available JDK packages:

bash
apt list 'openjdk*-jdk' 2>/dev/null | grep -E '/'

Install the version you need (examples):

bash
# Java 17 LTS
sudo apt install -y openjdk-17-jdk

# Java 21 LTS (also Ubuntu 24.04/25.04 default)
sudo apt install -y openjdk-21-jdk

# Java 25 (current feature release on Ubuntu 25.04)
sudo apt install -y openjdk-25-jdk

Switch the system default when multiple JDKs are installed:

bash
sudo update-alternatives --config java
sudo update-alternatives --config keytool

Sample update-alternatives --display keytool output with Java 17 and 21 both installed:

text
keytool - auto mode
  link best version is /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool
  link currently points to /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool
/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool - priority 1711
/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool - priority 2111

Higher priority wins in auto mode. Use --config when you need Java 17 keytool while Java 21 remains the default java.


Method 3: JRE headless only (when keytool is enough)

On a minimal node that only inspects or imports certificates:

bash
sudo apt update
sudo apt install -y openjdk-17-jre-headless
keytool -help
dpkg -L openjdk-17-jre-headless | grep '/bin/keytool$'
text
/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool

This works for keytool -list, -importcert, and -printcert, but you do not get javac. Prefer default-jdk unless you are deliberately minimizing packages.


Method 4: Oracle JDK tarball (advanced)

Download the Linux x64 JDK .tar.gz from Oracle Java downloads or use the vendor’s apt repository instructions. Typical layout after extracting to /opt:

bash
sudo mkdir -p /opt/java
sudo tar -xf jdk-21_linux-x64_bin.tar.gz -C /opt/java
export JAVA_HOME=/opt/java/jdk-21
export PATH=$JAVA_HOME/bin:$PATH
keytool -help

Register with update-alternatives if you want /usr/bin/keytool to point at Oracle:

bash
sudo update-alternatives --install /usr/bin/keytool keytool $JAVA_HOME/bin/keytool 1

You are responsible for security updates—Ubuntu’s unattended-upgrades will not patch /opt/java automatically.


Method 5: SDKMAN (side-by-side JDKs per user)

SDKMAN installs JDKs under ~/.sdkman/candidates/java/ without replacing apt packages—useful when one user needs Temurin 17 and another needs 21.

bash
curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk list java
sdk install java 21.0.9-tem
sdk use java 21.0.9-tem
keytool -help
which keytool
text
/home/user/.sdkman/candidates/java/current/bin/keytool

SDKMAN adjusts JAVA_HOME for that shell session. CI images and production servers usually stick to apt for reproducibility.


Set JAVA_HOME and PATH

Scripts and tools (Maven, Gradle, Tomcat, Spring Boot) expect JAVA_HOME to point at the JDK root, not the bin folder.

Session-only (Ubuntu default JDK)

bash
export JAVA_HOME=/usr/lib/jvm/default-java
export PATH=$JAVA_HOME/bin:$PATH
echo "JAVA_HOME=$JAVA_HOME"
keytool -help | head -3
text
JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
Key and Certificate Management Tool

Persist for your user (~/.bashrc or ~/.profile):

bash
cat >> ~/.bashrc <<'EOF'
export JAVA_HOME=/usr/lib/jvm/default-java
export PATH=$JAVA_HOME/bin:$PATH
EOF
source ~/.bashrc

System-wide (/etc/environment—no export keyword):

bash
grep -q '^JAVA_HOME=' /etc/environment || \
  echo 'JAVA_HOME="/usr/lib/jvm/default-java"' | sudo tee -a /etc/environment

Log out and back in so GUI apps and cron jobs pick up the change.


Verify keytool is working

Command and package checks

bash
command -v keytool
keytool -help 2>&1 | head -5
java -version
dpkg -l | grep -E 'default-jdk|openjdk-.*-jdk'

Find every keytool binary (multiple JDKs)

bash
find /usr/lib/jvm -name keytool -type f 2>/dev/null
text
/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool
/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool

Use this when CI reports a different keytool than your interactive shell.

Default truststore (cacerts) location

bash
KEYTOOL=$(readlink -f "$(command -v keytool)")
JAVA_HOME=$(dirname "$(dirname "$KEYTOOL")")
ls -l "$JAVA_HOME/lib/security/cacerts"
keytool -list -cacerts -storepass changeit 2>&1 | head -5
text
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 113 entries

The default password is changeit. You will import private CAs here for Java HTTPS clients—a topic covered in upcoming keytool truststore guides.


Quick smoke test: create a PKCS12 keystore

Prove keytool can write a keystore (safe to run in /tmp):

bash
cd /tmp
rm -f kt-smoke.p12
keytool -genkeypair -alias smoke -keyalg RSA -keysize 2048 -validity 30 \
  -storetype PKCS12 -keystore kt-smoke.p12 -storepass changeit \
  -dname "CN=localhost" -noprompt
keytool -list -keystore kt-smoke.p12 -storepass changeit
rm -f kt-smoke.p12
text
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 30 days
	for: CN=localhost
Keystore type: PKCS12
...
smoke, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 79:44:CD:6F:...

A PrivateKeyEntry confirms the install is functional—not merely a command not found fix.


Keep keytool updated

keytool does not update separately. It tracks your OpenJDK package.

Default JDK metapackage

bash
sudo apt update
sudo apt upgrade -y default-jdk default-jre
java -version
keytool -help 2>&1 | head -1

Version-specific package

bash
sudo apt upgrade -y openjdk-21-jdk

After upgrades with multiple JDKs installed, re-check alternatives:

bash
update-alternatives --display keytool | head -6

Uninstall keytool / remove Java

Removing the JDK (or JRE) package removes keytool when no other Java package provides it.

Remove default JDK

bash
sudo apt purge -y default-jdk default-jdk-headless
sudo apt autoremove -y
command -v keytool || echo "keytool removed"

Remove one version-specific JDK

bash
sudo apt purge -y openjdk-21-jdk openjdk-21-jdk-headless
sudo apt autoremove -y

Remove JRE-only install

bash
sudo apt purge -y openjdk-17-jre-headless
sudo apt autoremove -y

If openjdk-17-jre-headless and openjdk-21-jdk are both installed, purging only the JRE may leave keytool from Java 21. Check with which keytool after every purge.

For broader cleanup, see guide to removing software on Ubuntu.


Troubleshooting

Symptom Likely cause Fix
keytool: command not found No Java package installed sudo apt install -y default-jdk
java works but keytool missing Non-OpenJDK minimal runtime, custom Docker image, or broken alternatives Install openjdk-*-jdk or openjdk-*-jre-headless; run sudo update-alternatives --config keytool
Wrong keytool version / different from java Multiple JDKs; PATH bypasses alternatives readlink -f $(which keytool) and readlink -f $(which java); align with update-alternatives
JAVA_HOME set but keytool not found JAVA_HOME points at JRE root without bin/keytool export JAVA_HOME=/usr/lib/jvm/default-java; ensure $JAVA_HOME/bin/keytool exists
keytool not found in cron or systemd service Non-login shell lacks PATH Set Environment=JAVA_HOME=... in the unit file or use full path in scripts
keytool not found in Docker Slim JRE image without JDK tools Install default-jdk in the Dockerfile or copy a known PKCS12 keystore
Android Studio / CI uses different Java IDE bundles its own JDK Point IDE to /usr/lib/jvm/default-java or use the embedded JDK’s bin/keytool
apt install keytool finds nothing keytool is not a standalone package Install default-jdk or openjdk-*-jdk

Diagnose “command not found” step by step

bash
java -version 2>&1
command -v keytool || echo "keytool missing"
ls /usr/lib/jvm/*/bin/keytool 2>/dev/null
echo "JAVA_HOME=${JAVA_HOME:-unset}"
echo "PATH=$PATH"

If java fails but you expected Java installed, install default-jdk first. If java works but keytool is missing, inspect /usr/lib/jvm/*/bin/keytool and fix update-alternatives or PATH.


keytool vs OpenSSL

Task Tool
Inspect a remote HTTPS certificate OpenSSL (openssl s_client)
Create PEM keys/certs, CSRs, local CA OpenSSL
Manage Java keystore / truststore (JKS, PKCS12) keytool
Import CA into Java cacerts keytool
Convert PEM key + cert → PKCS12 for Java OpenSSL, then keytool or use the .p12 directly

See the OpenSSL cheat sheet and generate self-signed certificate with OpenSSL for the OpenSSL side. Upcoming keytool guides will cover importing those materials into Java keystores.


References


Summary

keytool is included with OpenJDK on Ubuntu—install default-jdk (or a version-specific openjdk-*-jdk) rather than searching for a keytool package. Verify with keytool -help, set JAVA_HOME=/usr/lib/jvm/default-java, and use update-alternatives --config keytool when multiple JDKs are present. Run the PKCS12 smoke test to confirm PrivateKeyEntry creation, upgrade through apt upgrade, and apt purge the JDK when you want keytool removed.

Next: build keystores and truststores in the keytool command cheat sheet and upcoming TLS guides in this series.


Frequently Asked Questions

1. Why is keytool command not found on Ubuntu?

keytool ships with a Java JDK (or with Ubuntu OpenJDK JRE headless packages). The error usually means no Java package is installed, or your shell PATH does not include the active JDK bin directory such as /usr/lib/jvm/java-21-openjdk-amd64/bin. Install default-jdk and verify with which keytool.

2. Do I need JDK or JRE to get keytool on Ubuntu?

Install a JDK package (default-jdk or openjdk-21-jdk) for the full Java toolchain including javac. On Ubuntu, openjdk-17-jre-headless and newer JRE headless packages also ship keytool, but a JDK is the safer choice for keystore work and matches most tutorials.

3. How do I install keytool on Ubuntu?

Run sudo apt update && sudo apt install -y default-jdk. Ubuntu 25.04 pulls OpenJDK 21. Verify with keytool -help and java -version. For a specific release use sudo apt install -y openjdk-17-jdk or openjdk-21-jdk.

4. Where is keytool installed on Ubuntu?

The binary lives under the active JDK, for example /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool. /usr/bin/keytool is a symlink managed by update-alternatives. The default truststore cacerts file is at $JAVA_HOME/lib/security/cacerts.

5. How do I set JAVA_HOME for keytool on Ubuntu?

Point JAVA_HOME at the JDK root, for example export JAVA_HOME=/usr/lib/jvm/default-java and export PATH=$JAVA_HOME/bin:$PATH. On Ubuntu, /usr/lib/jvm/default-java symlinks to the default-jdk branch. Persist the lines in ~/.bashrc or /etc/environment.

6. How do I update keytool on Ubuntu?

keytool updates with your OpenJDK package. Run sudo apt update && sudo apt upgrade -y default-jdk openjdk-21-jdk (or your version-specific package). Confirm with keytool -help and check update-alternatives --display keytool if you run multiple JDKs.

7. How do I uninstall keytool from Ubuntu?

Remove the JDK metapackage you installed, for example sudo apt purge -y default-jdk or sudo apt purge -y openjdk-21-jdk. If you only installed a JRE headless package, purge that instead. Run sudo apt autoremove -y afterward. keytool disappears when no Java package provides it.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …