Keytool Utility

keytool is a JDK utility that manages a keystore (database) of private keys and associated certificates, as well as certificates from trusted entities.

SAP recommends that you manage the keystore using Management Cockpit, instead of the keytool utility—see Managing Certificates.

SAP Mobile Platform includes two keystore files, with the same initial password:
  • local_smp_keystore.jks – created and maintained by the product installer; on each cluster node, stores certificates for the local server, from which you access Management Cockpit. These certificates are used for HTTPS connections.

  • smp_keystore.jks – maintained by system administrators; stores trusted certificates and PKCS #12 certificates for technical user back-end connections, and the truststore. This keystore syncs to all servers in a cluster, so you need not import these certificates into each node.

Both keystore files are located in the <SMP_HOME>\Server\configuration directory. Protect these files.

keytool is in <SMP_HOME>sapjvm_8\bin. keytool lets users create and manage their own public and private key pairs and associated certificates for use in self-authentication, or data integrity and authentication services, using digital signatures. It also lets users cache the public keys (in the form of certificates) of their communicating peers.


keytool -keystore | -list | -printcert | -import | -export| -delete | -selfcert | -certreq | -genkey [<options>]


  • -keystore identifies the keystore file, either smp_local_keystore.jks or smp_keystore.jks.
  • -list displays the contents of a keystore or keystore entry.
  • -printcert displays the contents of a certificate stored in a file. Check this information before importing a certificate as a trusted certificate. Make sure the certificate prints as expected.
  • -import imports:
    • a certificate or certificate chain to the list of trusted certificates, or,
    • a certificate reply received from a certificate authority (CA) as the result of submitting a certificate signing request (CSR).
    The value of the -alias option indicates the type of import you are performing. If the alias exists in the database, then it is assumed you want to import a certificate reply. keytool checks whether the public key in the certificate reply matches the public key stored with the alias, and exits if they do not match. If the alias identifies the other type of keystore entry, the certificate is not imported. If the alias does not exist, it is created, and associated with the imported certificate.
  • -export exports a certificate to a file.
  • -delete deletes a certificate from the list of trusted certificates.
  • -selfcert generates a self-signed certificate. The generated certificate is stored as a single-element certificate chain in the keystore entry identified by the specified alias, where it replaces the existing certificate chain.
  • -certreq generates a certificate signing request (CSR), using the PKCS #10 format. A CSR is intended to be sent to a CA, which authenticates the certificate requestor and returns a certificate or certificate chainthat replaces the existing certificate chain in the keystore.
  • -genkey generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by <<alias>>.
    -genkey Option Description
    -keystore <<keystoreLocation>> Name and location of the persistent keystore file for the keystore managed by keytool. If you specify a keystore that does not exist, a keystore is created. If you do not specify a -keystore option, the default keystore is a file named .keystore in your home directory. If that file does not exist, it is created.
    -storepass <<password>> The password that protects keystore integrity. The password must be at least 6 characters long and provided to all commands that access the keystore contents. If a -storepass option is not provided at the command line, the user is prompted for it.
    -file <<certificateFile>> The certificate file location.
    -noprompt During import, no interaction with users.
    -trustcacerts When importing a certificate reply, it is validated using trusted certificates from the keystore and the certificates configured in the cacerts keystore file. cacerts resides in the JDK security properties directory, java.home\lib\security, where java.home is the runtime environment's directory. The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type.
    -alias <<alias>> The logical name for the certificate you are using.
    -keypass <<password>> The password that protects the private key of the key pair. Press Enter at the prompt to set the key password to the password associated with the keystore. keypass must be at least 6 characters long.


  • Example 1: Display the contents of the keystore
     keytool -list -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass>
  • Example 2: Import a certificate reply from a CA
    keytool -import -file <certificate file> -keystore <filePath>\configuration\smp_keystore.jks -keypass <storepass> -storepass <storepass> -noprompt -trustcacerts -alias <alias>
  • Example 3: Delete a certificate
    keytool -delete -alias <alias> -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass>
  • Example 4: Generate a key pair
    keytool -genkey -alias -keystore <filePath>\configuration\smp_keystore.jks

    The certificate request must be signed by a CA or self-signed by using the -selfcert keytool option.

  • Example 5: Generate a key pair using the -sigalg SHA-256withRSA parameter

    Java has had support for SHA-2 certificates since JDK 1.4.2, and SAP recommends that you use SHA-2, instead of SHA-1.

    keytool -genkeypair -keystore local_smp_keystore.jks -keysize 2048 -sigalg SHA256withRSA -alias smp2 -validity 4000 -keypass changeit -storepass changeit -keyalg RSA
  • Example 6: Use -import to import a trusted CA certificate
    keytool -import -file <certificate file> -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass> -noprompt -trustcacerts 
    -alias <alias>

    This is identical to Example 2 except since CA certs do not have private keys, the -alias does not need a password so you may remove the -keypass <storepass> argument.