new storetype when you do so: piccolo keytool −keypasswd −alias sdo −storetype jceks If you began with a JKS keystore, youll end up with a JCEKS keystore after this command. Note that you can use this trick with other commands e.g., the storepasswd command; anything that writes out a new keystore will change its format. However, the advantage of the JCEKS keystore is that the password associated with key entries is strongly encrypted, and the key entry password will not be reencrypted by other commands. Hence, to convert effectively between JKS and JCEKS, you must use the keypasswd command for each key alias in your keystore.

10.2.7 Deleting Keystore Entries

There is a single command to delete either a key entry or a certificate entry: −delete Delete the entry of the specified alias. If a certificate entry for a certificate authority is deleted, there is no effect upon key entries that have been validated by the authority. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v

10.2.8 Examining Keystore Data

If you want to examine one or more entries in the keystore, you may use the following commands: −list List to System.out one or more entries in the keystore. If an alias option is given to this command, only that alias will be listed; otherwise, all entries in the keystore are listed. You do not need to know the password for the keystore to use this command. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −rfc When displaying certificates, display them in RFC 1421 standard. This option is incompatible with the −v option. −export Export the certificate for the given alias to a given file. The certificate is exported in RFC 1421 format. If the target alias is a certificate entry, that certificate is exported. Otherwise, the first certificate in the target key entrys certificate chain will be exported. If you need to send your certificate to another entity, you send it the file created by this command. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −file outputFile The file in which to store the certificate. The default is to write the certificate to System.out . −printcert Print out a certificate. The input to this command must be a certificate in RFC 1421 format; this command will display that certificate in readable form so that you may verify its fingerprint. Unlike all other commands, this command does not use the keystore itself, and it requires no keystore passwords to operate. It supports the following global option: −v It also supports this option: −file certificateFile The file containing the RFC 1421 format certificate. The default is to read the certificate from System.in .

10.2.9 Miscellaneous Commands

There are two remaining commands to keytool . The first allows you to change the global password of the keystore: −storepasswd Change the global password of the keystore. This command supports the following global options: −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −new newPassword