Skip to main content
Support
PlatformSign in

KB Article #64943

How to use the Java Keytool to remove a certificate from the Keystore

Problem

-- How to use the Java Keytool to remove a certificate from the Keystore
-- How to use the Java Keytool to remove a certificate from the PSE keystore files on the filesystem


Resolution

-- Once you have removed a bad certificate from the database, please use these instructions to delete the certificate from the Keystore. The certificate must be removed from both locations.



Before you begin, make sure you know the full path where the PSE files are located.



1. In a command line, go to the bin directory of the non-Interchange JRE. Type a command using the following format, replacing keystorefile with the full path to the PSE file on your filesystem:
keytool -list -v -keystore keystorefile -storetype JCEKS
2. When prompted for a password, press Enter.
3. The keytool spits out a list of all the certificates in the keystore. Look for the following value (although your Alias name will be different):
Alias name: certc1121889286114.531@sbrines-d610
Creation date: Jul 20, 2005
Entry type: trustedCertEntry



Owner: EMAILADDRESS=us_ediintpreview@dell.com, CN=, ST=Texas, L=Round Rock, OU=E
DI, O=DELL, C=US
Issuer: EMAILADDRESS=us_ediintpreview@dell.com, CN=, ST=Texas, L=Round Rock, OU=
EDI, O=DELL, C=US
Serial number: 68
Valid from: Fri Jul 15 14:59:35 CDT 2005 until: Sun Jul 15 14:59:35 CDT 2007
Certificate fingerprints:
        MD5:  9D:D0:76:AC:EB:B1:C0:B2:4C:F0:45:76:C1:82:D0:42
        SHA1: 4E:2A:49:22:1D:27:DF:94:EF:1F:F6:E0:A6:DA:C2:88:37:15:75:71
4. This is the entry for the certificate you need to remove. The Alias name is needed to perform the next step.
5. Back at the command line, type a command using the following format. You will have to replace alias name with the alias name discovered when you listed the keystore contents earlier; replace keystorefile with the full path to the PSE file on your filesystem; replace password with the name of your keystore file, less the .keys extension:
keytool -delete -v -alias alias name -keystore keystorefile -storepass password
-storetype JCEKS
6. When you press Enter, the keytool should remove the certificate from the PSE file.
7. Repeat this process for any other PSE files that contain the certificate. If you''re not sure, run the "list" command, and look for the certificate.



When you restart your server, you should see that the partner has no certificate, and no default encryption certificate. When your partner sends you a replacement certificate, you should be able to trade with him again.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.