Most of the manage-certificates subcommands require access to a JKS or PKCS #12 keystore. In such instances, use the --keystore argument to specify the path to the keystore.

If the keystore already exists, the tool detects automatically whether it is a JKS or PKCS #12 keystore. If the operation creates a new keystore, you can specify the type explicitly by using the --keystore-type argument, followed by a value of JKS or PKCS12. If you do not specify the keystore type, a default value of JKS is used.

Some situations require you to provide the password that is needed to access the keystore. For a JKS keystore, you might need to provide a keystore password only for operations that involve creating a keystore or accessing a private key. However, you will likely need to provide the password for all operations that involve a PKCS #12 keystore.

To provide a keystore password, use one of the following arguments:

  • --keystore-password, followed by the clear-text password for the keystore.
  • --keystore-password-file, followed by the path to a file that contains the password for the keystore. The file might contain the password in the clear, or it might be encrypted with a definition from the server's encryption-settings database.
  • --prompt-for-keystore-password. If this argument is provided, the tool prompts you interactively to provide the password.

If a private key is protected with a different password than the keystore itself, specify one of the following arguments to provide the private key password:

  • --private-key-password, followed by the plaintext password.
  • --private-key-password-file, followed by the path to a file that contains the clear-text or encrypted password.
  • --prompt-for-private-key-password, which causes the tool to prompt interactively for the password.

Several operations require you to specify the keystore entry to target. In such scenarios, provide the --alias argument, followed by the name of the alias for that entry.