How can I find and run the keytool

keytool

command line

Java

certificate management

troubleshooting

How can I find and run the keytool

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start Practicing Learn More

Introduction

keytool is a command-line utility bundled with the Java Development Kit (JDK) for managing cryptographic keys and certificates. It is located in the bin/ directory of your JDK installation. If keytool is not found when you type it in a terminal, either the JDK is not installed, or the bin/ directory is not on your system PATH. Finding and running keytool requires knowing where the JDK is installed on your operating system.

Finding keytool on Your System

Windows

cmd

1:: Check if keytool is already on PATH
2where keytool
3
4:: Common JDK installation paths
5dir "C:\Program Files\Java\"
6dir "C:\Program Files\Eclipse Adoptium\"
7
8:: keytool is in the bin directory
9:: Example: C:\Program Files\Java\jdk-21\bin\keytool.exe
10
11:: Run keytool with full path
12"C:\Program Files\Java\jdk-21\bin\keytool.exe" -list -keystore mykeystore.jks
13
14:: Find using JAVA_HOME
15echo %JAVA_HOME%
16"%JAVA_HOME%\bin\keytool.exe" -list -keystore mykeystore.jks

macOS

bash

1# Check if keytool is on PATH
2which keytool
3
4# macOS bundles Java in specific locations
5# Homebrew JDK
6ls /opt/homebrew/opt/openjdk/bin/keytool
7
8# Apple's Java (if installed)
9/usr/libexec/java_home
10# Output: /Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home
11
12# Run keytool using java_home
13$(/usr/libexec/java_home)/bin/keytool -list -keystore mykeystore.jks
14
15# Or use JAVA_HOME
16echo $JAVA_HOME
17$JAVA_HOME/bin/keytool -list -keystore mykeystore.jks

Linux

bash

1# Check if keytool is on PATH
2which keytool
3
4# Common JDK locations
5ls /usr/lib/jvm/
6ls /usr/java/
7ls /opt/java/
8
9# Find keytool anywhere on the system
10find / -name keytool -type f 2>/dev/null
11
12# Typical path
13/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool
14
15# Use alternatives system (Debian/Ubuntu)
16update-alternatives --list java

Adding keytool to PATH

If keytool is not found, add the JDK bin/ directory to your PATH:

Windows

cmd

1:: Temporary (current session only)
2set PATH=%PATH%;C:\Program Files\Java\jdk-21\bin
3
4:: Permanent — set via System Properties > Environment Variables
5:: Or from PowerShell (admin)
6[Environment]::SetEnvironmentVariable("Path",
7    $env:Path + ";C:\Program Files\Java\jdk-21\bin", "Machine")

macOS / Linux

bash

1# Add to ~/.bashrc, ~/.zshrc, or ~/.bash_profile
2export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
3export PATH=$JAVA_HOME/bin:$PATH
4
5# Reload the profile
6source ~/.bashrc

Common keytool Commands

Generate a Key Pair

bash

1keytool -genkeypair \
2    -alias mykey \
3    -keyalg RSA \
4    -keysize 2048 \
5    -validity 365 \
6    -keystore mykeystore.jks \
7    -storepass changeit

This creates a new RSA key pair and self-signed certificate stored in mykeystore.jks.

List Keystore Contents

bash

1# Brief listing
2keytool -list -keystore mykeystore.jks -storepass changeit
3
4# Verbose listing (shows certificate details)
5keytool -list -v -keystore mykeystore.jks -storepass changeit

Export a Certificate

bash

1keytool -exportcert \
2    -alias mykey \
3    -keystore mykeystore.jks \
4    -file mycert.crt \
5    -storepass changeit

Import a Certificate

bash

1keytool -importcert \
2    -alias trustedcert \
3    -file external_cert.crt \
4    -keystore mykeystore.jks \
5    -storepass changeit

Import into Java's Trusted Certificates (cacerts)

bash

1# Find cacerts
2find $JAVA_HOME -name cacerts
3
4# Import a CA certificate (requires admin/sudo)
5sudo keytool -importcert \
6    -alias myca \
7    -file ca-cert.pem \
8    -keystore $JAVA_HOME/lib/security/cacerts \
9    -storepass changeit

The default password for Java's cacerts keystore is changeit.

Delete an Entry

bash

1keytool -delete \
2    -alias oldkey \
3    -keystore mykeystore.jks \
4    -storepass changeit

Generate a CSR (Certificate Signing Request)

bash

1keytool -certreq \
2    -alias mykey \
3    -keystore mykeystore.jks \
4    -file myrequest.csr \
5    -storepass changeit

Android Development

For Android development, keytool is used to view the debug keystore's SHA-1 fingerprint, required for Google APIs:

bash

1# View debug keystore fingerprint
2keytool -list -v \
3    -keystore ~/.android/debug.keystore \
4    -alias androiddebugkey \
5    -storepass android \
6    -keypass android

The debug keystore is automatically created by Android Studio at ~/.android/debug.keystore with the password android.

Common Pitfalls

"keytool is not recognized" / "command not found": The JDK bin/ directory is not on your PATH. Either add it to PATH or use the full path to keytool (e.g., /usr/lib/jvm/java-21/bin/keytool).
JRE installed instead of JDK: The JRE (Java Runtime Environment) may not include keytool in some distributions. Install the full JDK to guarantee keytool is available.
Wrong keytool version: If multiple JDK versions are installed, which keytool may point to an older version. Use keytool -version or the full path to ensure you are running the intended version.
Forgetting the keystore password: There is no built-in way to recover a lost keystore password. The default password for Java's cacerts is changeit, but custom keystores use whatever password was set at creation.
Permission denied on cacerts: Modifying the system cacerts file requires administrator or sudo privileges. On Windows, run the command prompt as Administrator. On Linux/macOS, prefix with sudo.

Summary

keytool is in the bin/ directory of your JDK installation (not the JRE)
Find it with which keytool (macOS/Linux), where keytool (Windows), or check $JAVA_HOME/bin/
Add the JDK bin/ directory to your system PATH if keytool is not found
Common operations include generating key pairs, listing keystore contents, and importing/exporting certificates
For Android development, use keytool to extract SHA-1 fingerprints from the debug keystore