What is the purpose/role of the "alias" attribute in Java keystore files?

ALIAS

To answer your immediate question, the alias field should be a unique string to identify the key entry. This applies to all types such a trusted and intermediate.

Documentation

Keytool

KeyStore Aliases

All keystore entries (key and trusted certificate entries) are accessed via unique aliases.

An alias is specified when you add an entity to the keystore using the -genseckey command to generate a secret key, -genkeypair command to generate a key pair (public and private key) or the -importcert command to add a certificate or certificate chain to the list of trusted certificates. Subsequent keytool commands must use this same alias to refer to the entity.

For example, suppose you use the alias duke to generate a new public/private key pair and wrap the public key into a self-signed certificate (see Certificate Chains) via the following command:

keytool -genkeypair -alias duke -keypass dukekeypasswd

This specifies an initial password of "dukekeypasswd" required by subsequent commands to access the private key assocated with the alias duke. If you later want to change duke's private key password, you use a command like the following:

`keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass` 

This changes the password from "dukekeypasswd" to "newpass".

Please note: A password should not actually be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system. If you don't specify a required password option on a command line, you will be prompted for it

Standards and Practices

I don't think there is any set naming standard and I'm sure you can talk to 10 different people and get 10 different answers. You just want it unique and logical.

The API and Oracle's Keytool don't do a great job of checking for duplicates which is a particular oversight in my opinion considering it's used to identify each entry in a key store.

The best way to resolve duplicates is to generate a new keystore, and add each entry from the old keystore to the new one with unique alias'. You can iterate over the keystore and use its timestamp to identify different certs in a store.


I had exactly the same question, and you phrased the issue perfectly clearly. My understanding after experimentation (regrettable that the documentation doesn't state this clearly) is:

  1. Aliases are not single-object identifiers; you may use the same alias for a key and a cert entry in a keystore, without one wiping out the other.

  2. Indeed, you must use the same alias for a key and its associated cert, to tie them together. Other certs in the chain should have different aliases, with reasonable names of your choice to identify them.

I am not an expert at this, so take my answer with the right grain of salt, pls.