Free Online Course · Self-paced

Keytool & Java Keystore Tutorial for Beginners

Complete keytool tutorial for Java keystores and truststores - generate PKCS12 keys, import CA-signed chains, fix PKIX errors, configure Spring Boot and Tomcat HTTPS, and ship trust in Docker and Kubernetes. 21 hands-on lessons tested on Linux.

  • 21 parts
  • ~167 min total
  • Beginner to Intermediate
  • Updated Jul 2026
Reviewed Deepak Prasad
Keytool & Java Keystore Tutorial for Beginners
By Last updated

This tutorial walks you through Java keystores and truststores with keytool — the CLI that ships with every JDK. You will learn the difference between a keystore (server identity) and a truststore (who you trust), build PKCS12 files on Linux, import CA-signed certificate chains in the right order, and fix the errors that show up in real logs: Failed to establish chain from reply, Public keys in reply and keystore don't match, and PKIX path building failed.

Every command is tested on Ubuntu with OpenJDK and uses PKCS12 as the default format. On workstations where keytool is missing, start with install keytool on Ubuntu. For PEM-centric PKI workflows that complement Java, see the OpenSSL & PKI tutorial.

Click Start the course to begin with keystore fundamentals, or jump to the section you need — chain import, PKIX troubleshooting, and Spring Boot/Tomcat HTTPS are the three most-bookmarked chapters.

What you'll learn

  • Create PKCS12 keystores and truststores with keytool on Linux
  • Generate CSRs with SAN, import CA-signed replies, and build full certificate chains
  • Diagnose and fix common keytool errors (chain reply, public key mismatch, wrong password)
  • Export certificates in PEM/DER, import PKCS12/PFX and PEM private keys
  • Configure Spring Boot and Tomcat HTTPS with the same keystore files
  • Use custom truststores instead of editing cacerts, including Docker and Kubernetes

Prerequisites

  • OpenJDK 11+ (OpenJDK 21 or 25 tested) with keytool on PATH
  • Comfortable on the Linux command line
  • Basic TLS concepts (certificate, private key, CA chain) — see the OpenSSL PKI primer if needed

Syllabus

7 chapters · 21 lessons · ~167 min of reading

  1. 1 Fundamentals and Setup 4 lessons
    1. Part 1 Install keytool on Ubuntu 9 min read
    2. Part 2 Keystore vs truststore in Java 12 min read
    3. Part 3 keytool vs OpenSSL — which tool to use 9 min read
    4. Part 4 Fix PKIX path building failed 10 min read
  2. 2 Create Keys and Certificates 2 lessons
    1. Part 5 Self-signed certificate with localhost and IP SAN 7 min read
    2. Part 6 Create a CSR and import a CA-signed certificate 8 min read
  3. 3 Import Chains and Fix Reply Errors 3 lessons
    1. Part 7 Import root, intermediate, and server chain 7 min read
    2. Part 8 Fix failed to establish chain from reply 7 min read
    3. Part 9 Fix public keys in reply and keystore don't match 5 min read
  4. 4 Inspect, Export, and Convert 6 lessons
    1. Part 10 List and inspect keystore entries 6 min read
    2. Part 11 Export certificate in PEM and DER 7 min read
    3. Part 12 Import PEM certificate and private key 7 min read
    4. Part 13 Import PKCS12/PFX into Java keystore 6 min read
    5. Part 14 Convert JKS to PKCS12 7 min read
    6. Part 15 Change alias, password, and delete entries 7 min read
  5. 5 Truststores and System CAs 2 lessons
    1. Part 16 Custom truststore vs editing cacerts 7 min read
    2. Part 17 Import certificate into Java cacerts on Linux 7 min read
  6. 6 Spring Boot, Tomcat, and Containers 3 lessons
    1. Part 18 Configure Spring Boot HTTPS with keytool 8 min read
    2. Part 19 Configure Tomcat SSL with keytool 7 min read
    3. Part 20 Java truststore in Docker and Kubernetes 9 min read
  7. 7 Reference 1 lesson
    1. Part 21 keytool command cheat sheet 15 min read
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …