Skip to main content
The keytool module is a command-line interface for managing PKCS12 keystores used by Tessellation nodes and wallets. Each node identity is backed by an ECDSA key pair stored in a .p12 file (PKCS12 format, via BouncyCastle).
Keep your .p12 keystore file and its password secure. The private key it contains controls your node identity and wallet funds. Never commit keystores to version control or share them over unencrypted channels.

Running keytool

Build and run the keytool JAR: 
sbt keytool/assembly
java -jar modules/keytool/target/scala-2.13/keytool-assembly-*.jar <command> [flags]
Or with the Docker image (the wallet JAR is available inside the container at /tessellation/jars/wallet.jar).

Commands

generate

Generate a new ECDSA key pair and write it to a PKCS12 keystore file. 
java -jar keytool.jar generate \
  --keystore ./key.p12 \
  --alias alias \
  --password yourpassword
FlagDescription
--keystorePath where the .p12 file will be written
--aliasKey alias within the keystore
--passwordPassword for both the keystore and the key entry
--env-prefix(Optional) Read flag values from environment variables with this prefix
The generated certificate uses a 1000-year validity period (self-signed, for node identity purposes). The distinguished name is set to CN=constellationnetwork.io, O=Constellation Labs.
You can also generate multiple keystores in one command for bulk testing:
java -jar keytool.jar generate-multiple \
  --keystore ./key \
  --alias alias \
  --password yourpassword \
  --count 5
This writes ./key_1.p12, ./key_2.p12, … ./key_5.p12 with aliases alias_1, alias_2, etc.

migrate

Migrate a legacy keystore that has separate store and key passwords to a single unified password (store password used for both). 
java -jar keytool.jar migrate \
  --keystore ./legacy-key.p12 \
  --alias alias \
  --storepass storePwd \
  --keypass keyPwd
FlagDescription
--keystorePath to the existing .p12 file to migrate
--aliasKey alias within the keystore
--storepassCurrent store password
--keypassCurrent key entry password
The migrated keystore is written back to the same path with storepass used for both store and key entry.

export

Export the private key from a keystore as a hexadecimal string. This is useful for importing into other tools or for backup. 
java -jar keytool.jar export \
  --keystore ./key.p12 \
  --alias alias \
  --storepass yourpassword \
  --keypass yourpassword
If the store and key passwords are the same, you can use the --password shorthand: 
java -jar keytool.jar export \
  --keystore ./key.p12 \
  --alias alias \
  --password yourpassword
FlagDescription
--keystorePath to the .p12 file
--aliasKey alias to export
--storepassStore password
--keypassKey entry password
--passwordShorthand when store and key passwords are the same
The private key hex is printed to stdout.
The exported hex is your raw private key. Treat it with the same care as your keystore file.

Relationship to the wallet module

The wallet CLI uses the same keystore format and the same --keystore, --alias, --storepass, and --keypass flags for all operations. A keystore generated by keytool can be used directly with the wallet CLI to sign transactions and query addresses. See Wallet for details.

Build docs developers (and LLMs) love

Get started for freeTalk to us