keytool is a JDK utility that manages a keystore (database) of private keys and associated certificates, as well as certificates from trusted entities.
SAP recommends that you manage the keystore using Management Cockpit, instead of the keytool utility—see Managing Certificates.
local_smp_keystore.jks – created and maintained by the product installer; on each cluster node, stores certificates for the local server, from which you access Management Cockpit. These certificates are used for HTTPS connections.
smp_keystore.jks – maintained by system administrators; stores trusted certificates and PKCS #12 certificates for technical user back-end connections, and the truststore. This keystore syncs to all servers in a cluster, so you need not import these certificates into each node.
Do not use keytool to import, delete, or change the password for the smp_keystore.jks file when the server is shut down; results are lost when the server starts up.
keytool is in <SMP_HOME>sapjvm_7\bin. keytool lets users create and manage their own public and private key pairs and associated certificates for use in self-authentication, or data integrity and authentication services, using digital signatures. It also lets users cache the public keys (in the form of certificates) of their communicating peers.
keytool -keystore | -list | -printcert | -import | -export| -delete | -selfcert | -certreq | -genkey [<options>]
|-keystore <<keystoreLocation>>||Name and location of the persistent keystore file for the keystore managed by keytool. If you specify a keystore that does not exist, a keystore is created. If you do not specify a -keystore option, the default keystore is a file named .keystore in your home directory. If that file does not exist, it is created.|
|-storepass <<password>>||The password that protects keystore integrity. The password must be at least 6 characters long and provided to all commands that access the keystore contents. If a -storepass option is not provided at the command line, the user is prompted for it.|
|-file <<certificateFile>>||The certificate file location.|
|-noprompt||During import, no interaction with users.|
|-trustcacerts||When importing a certificate reply, it is validated using trusted certificates from the keystore and the certificates configured in the cacerts keystore file. cacerts resides in the JDK security properties directory, java.home\lib\security, where java.home is the runtime environment's directory. The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type.|
|-alias <<alias>>||The logical name for the certificate you are using.|
|-keypass <<password>>||The password that protects the private key of the key pair. Press Enter at the prompt to set the key password to the password associated with the keystore. keypass must be at least 6 characters long.|
keytool -list -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass>
keytool -import -file <certificate file> -keystore <filePath>\configuration\smp_keystore.jks -keypass <storepass> -storepass <storepass> -noprompt -trustcacerts -alias <alias>
keytool -delete -alias <alias> -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass>
keytool -genkey -alias -keystore <filePath>\configuration\smp_keystore.jks
The certificate request must be signed by a CA or self-signed by using the -selfcert keytool option.
By default, the jdk1.7 keytool uses the SHA256withRSA algorithm; however, some certificate authorities (CAs) do not support this algorithm and use the -sigalg SHA1withRSA parameter when the CSR is generated.
keytool.exe -certreq -keyalg RSA -alias smp_crt -sigalg SHA1withRSA-file request.csr -keystore smp_keystore.jks -storepass keystorepassword
keytool -import -file <certificate file> -keystore <filePath>\configuration\smp_keystore.jks -storepass <storepass> -noprompt -trustcacerts -alias <alias>
This is identical to Example 2 except since CA certs do not have private keys, the -alias does not need a password so you may remove the -keypass <storepass> argument.