If the key store already exists, then the tool automatically detects whether it is a JKS or PKCS #12 key store. If the operation creates a new key store, then you can explicitly specify the type using the --keystore-type argument followed by a value of either “JKS” or “PKCS12”. If you do not specify the key store type, a default value of “JKS” is used.

In some cases, you might also be required to provide the password needed to access the key store. For a JKS key store, you might only need to provide a key store password for operations that involve creating a key store or accessing a private key, but you might need to provide the password for all operations involving a PKCS #12 key store. If you need to provide a key store password, there are three ways that you can do so:

  • Using the --keystore-password argument followed by the clear-text password for the key store.
  • Using the --keystore-password-file argument followed by the path to a file containing the password for the key store. The file can contain the password in the clear, or it can be encrypted with a definition from the server’s encryption settings database.
  • Using the --prompt-for-keystore-password argument. If this argument is provided, the tool interactively prompts for the password.

Private keys can also be protected with a different password than the key store itself. If that is the case, then the private key password can be given in one of the following ways:

  • Using the --private-key-password argument followed by the clear-text password.
  • Using the --private-key-password-file argument followed by the path to a file containing the clear-text or encrypted password.
  • Using the --prompt-for-private-key-password argument, which causes the tool to interactively prompt for the password.

Several operations require you to specify which key store entry you want to target. In such cases, you can provide the --alias argument followed by the name of the alias for that entry.