Java “keytool import”: How to import a certificate into a keystore file

Java “keytool import” FAQ: Can you share some examples of the Java keytool import command and process?

When you're working with Java public and private keys, there may be a time when someone else says, "Here is a certificate. Import it into your public key keystore, and then you can do XYZ", where "XYZ" can be a variety of things, including reading their document, using their Java application, etc. To do this you need to use the Java keytool import command.

In this example I'll assume that you have just received a keytool certificate file from another person, and you want to import the information in that certificate file into your public keystore file.

Java keytool import - Import a certificate into a public keystore

Assuming that you've been given a certificate file named "certfile.cer" which contains an alias named "foo", you can import it into a public keystore named "" with the following keytool import command:

$ keytool -import -alias foo -file certfile.cer -keystore

This import command can be read as:

  • Read from the certfile file named certfile.cer.
  • Look in that file for an alias named "foo".
  • If you find the alias "foo", import the information into the keystore named "".
  • Note: The file may already exist, in which case the public key for "foo" will be added to that keystore file; otherwise, will be created.

Java keytool import - a complete example

Here's the actual input and output from a Java keytool import example. Hopefully you can use the description I just provided to understand how this command works:

$ keytool -import -alias publicCertFromAl -file certfile.cer -keystore

Enter keystore password:  BARBAZ
Owner: CN=Alvin Alexander, OU=Application Development,, L=Louisville, ST=KY, C=US
Issuer: CN=Alvin Alexander, OU=Application Development,, L=Louisville, ST=KY, C=US
Serial number: 4bd4e793
Valid from: Sun Apr 25 17:08:35 AKDT 2010 until: Sat Jul 24 17:08:35 AKDT 2010
Certificate fingerprints:
       MD5:  55:20:B2:68:FD:0F:4E:BF:D5:E5:D5:04:47:6C:E3:10
       SHA1: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5
Trust this certificate? [no]:  yes
Certificate was added to keystore

A few important points here about this output:

  • The alias used here (publicCertFromAl) does not have to correspond to the alias used when the private key keystore and certificate file were created.
  • The password shown above is the password for the keystore named

At this point, assuming everything worked, you probably don't need the intermediate certificate file, so you can delete it. To be sure though, you should test that the public key is now in your keystore file. You can do this by attempting to use the public key for whatever your purpose is, and you can also list the contents of the public key keystore file, using the commands shown in my "keytool list" tutorial.

If you'd like to see the entire process of creating a private key, exporting it in a certificate file, importing it into a public keystore, and listing the keystore contents, I have all of that in one place in a long-but-complete Java keytool, keystore, genkey, export, import, certificate, and list tutorial as well.