Managing keys and certificates in Java often involves working with Java KeyStores (JKS) or other formats like PKCS12. Sometimes, there is a need to change the alias of a key pair or certificate without altering the key material itself. This article walks through the process of changing the alias of a key in a Java Keystore.
1. Preparing a Sample Keystore
To demonstrate alias renaming, we first need a keystore with at least one key entry. We can create this keystore using the keytool command-line utility.
Run the following command in your terminal:
keytool -genkey \ -alias oldAlias \ -keyalg RSA \ -keysize 2048 \ -keystore mykeystore.jks \ -storepass changeit \ -dname "CN=JCG User, OU=Dev, O=Javacodegeeks, L=Athens, S=Attica, C=GR"
This command generates a new RSA key pair with an alias oldAlias in mykeystore.jks. The keystore password is set to changeit. The dname specifies the distinguished name for the certificate.
2. Java Program to Change Key Alias
Below is a Java program that changes a key’s alias from oldAlias to newAlias without altering the key itself.
public class Keyaliaschanger {
public static void main(String[] args) {
String keystoreFile = "/mykeystore.jks";
String keystorePassword = "changeit";
String oldAlias = "oldAlias";
String newAlias = "newalias";
try {
// Load the existing keystore
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(Keyaliaschanger.class.getResourceAsStream(keystoreFile), keystorePassword.toCharArray());
// Retrieve key and certificate
Key key = keyStore.getKey(oldAlias, keystorePassword.toCharArray());
Certificate[] chain = keyStore.getCertificateChain(oldAlias);
if (key == null) {
System.out.println("No key found for alias: " + oldAlias);
return;
}
// Store key with new alias
keyStore.setKeyEntry(newAlias, key, keystorePassword.toCharArray(), chain);
// Remove old alias
keyStore.deleteEntry(oldAlias);
// Save keystore back to the same file
try (FileOutputStream fos = new FileOutputStream("src/main/resources/" + keystoreFile)) {
keyStore.store(fos, keystorePassword.toCharArray());
}
System.out.println("Alias changed from '" + oldAlias + "' to '" + newAlias + "' successfully.");
} catch (Exception e) {
e.printStackTrace();
}
}
}
The keystore is loaded from mykeystore.jks using the provided password, and the key along with its certificate chain is retrieved using the old alias. The same key and certificate are then stored under the new alias using the setKeyEntry method, after which the old alias is removed with deleteEntry. Finally, the updated keystore is saved back to disk, completing the alias change.
When the program is compiled and executed with the correct keystore and passwords, the alias is renamed, and a success message is displayed.
Verifying the Alias Change
To confirm that the alias has been changed, use the keytool -list command:
keytool -list -keystore mykeystore.jks -storepass changeit
The keytool -list command displays all entries in the keystore, and if the alias change was successful, the entry will appear as newalias while the oldalias will no longer be present.
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry newalias, Aug. 2, 2025, PrivateKeyEntry,
3. Change the Alias of a Key Using keytool Utility
If you prefer not to write Java code for changing a key alias, you can achieve the same result directly from the command line using the keytool utility that comes with the Java Development Kit (JDK). This method is often quicker for one-off changes or when automating keystore management in scripts.
To change the alias, use the -changealias option of keytool:
keytool -changealias -alias oldalias -destalias javacodegeeks -keystore mykeystore.jks -storepass changeit
The -alias oldalias option specifies the current alias of the key to be renamed, while -destalias javacodegeeks sets the new alias to assign to the key. The -keystore mykeystore.jks parameter points to the keystore file and -storepass provides the keystore password. This command updates the keystore in place without requiring the export and re-import of keys.
You can verify the change by running:
keytool -list -keystore mykeystore.jks -storepass changeit
This will display the entries in the keystore with the updated alias name.
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry javacodegeeks, Aug. 2, 2025, PrivateKeyEntry
4. Conclusion
In this article, we explored how to change the alias of a key in a Java Keystore using both a Java program and the keytool utility. The guide demonstrated how to load the keystore, retrieve the key and certificate chain, store them under a new alias, remove the old alias, and save the updated keystore. Additionally, the keytool method was presented as a quick alternative for performing the same operation directly from the command line.
5. Download the Source Code
This article covered how to change a key alias in a Java Keystore.
You can download the full source code of this example here: java keystore change key alias
