The manage-certificates tool uses the following subcommands to indicate which function to invoke:

  • list-certificates – Lists the certificates in a keystore.
  • import-certificate – Imports a certificate into a trusted certificate entry, or imports a certificate chain and private key into a private key entry.
  • export-certificate – Exports a certificate from a keystore.
  • export-private-key – Exports a private key from a keystore.
  • generate-self-signed-certificate – Generates a self-signed certificate.
  • generate-certificate-signing-request – Generates a certificate-signing request that can be provided to a certification authority.
  • sign-certificate-signing-request – Signs a certificate-signing request with a specified issuer certificate.
  • check-certificate-usability – Checks a specified certificate in a keystore to verify whether it is suitable for use as a listener certificate.
  • trust-server-certificate – Initiates the TLS-negotiation process with a specified server to obtain its certificate chain, so that a truststore can be updated with the necessary information to trust the chain.
  • display-certificate-file – Displays the contents of a file that contains one or more PEM-encoded or DER-encoded X.509 certificates.
  • display-certificate-signing-request-file – Displays the contents of a file that contains a PEM-encoded or DER-encoded PKCS #10 certificate-signing request (CSR).
  • change-certificate-alias – Changes the alias for an entry in a keystore.
  • change-keystore-password – Changes the password for a keystore.
  • change-private-key-password – Changes the password that protects the private key for a specified entry in a keystore.