Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8212111

Deprecating the default keytool -keyalg value



    • CSR
    • Status: Closed
    • P3
    • Resolution: Approved
    • 12
    • security-libs
    • None
    • behavioral
    • minimal
    • The default value is only deprecated and not removed. The warning is informational and does not change the exit code of keytool. A script that tries to compare output character by character will notice a small difference.
    • add/remove/modify command line option
    • JDK



      Deprecate the default -keyalg value for -genkeypair and -genseckey commands of keytool, so that if user has not explicitly specified one there will be a warning.


      The current default -keyalg value is "DSA" for -genkeypair and "DES" for -genseckey. Both are legacy algorithms that are not used in modern security related protocols.


      Deprecate the default -keyalg value for these two commands and recommend user to explicitly specify one. Cryptography is evolving all the time and it was probably a mistake that we chose a default -keyalg value when keytool was created. Also, not having a default -keyalg value makes the user specify what they want, perhaps learning about certificates and making an educated choice.

      We plan to remove the default value in a future release.


      For keytool -genkeypair, if no -keyalg is specified, the following warning will be shown:

      Warning: No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.

      For keytool -genseckey, the "DES" algorithm name is shown instead.

      For both commands, no matter if -keyalg is specified or not, after the key is successfully created, there will be an informational text showing what kind of key is created, including the key algorithm and signature algorithm (if relevant). For example:

      Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days for: CN=X

      For the keytool.html document, remove the "-keyalg" item in the default value box of the "Examples of Option Values" section.


        Issue Links



              weijun Weijun Wang
              mullan Sean Mullan
              Sean Mullan, Xuelei Fan
              0 Vote for this issue
              2 Start watching this issue