Brief Introduction
The keytool tool with Java is a key and certificate management tool. It enables users to manage their own public/private key pairs and related certificates for (digitally signed) Self authentication (users authenticate themselves to other users/services) or data integrity and authentication services. It also allows users to store their communications counterparts ' public keys (in the form of certificates).
Keytool stores keys and certificates in a so-called key warehouse (KeyStore). The default key warehouse implementation implements the key warehouse as a single file. It uses a password to protect the private key. Types of Java KeyStore
JKS and JCEKS are two of the more common types of Java KeyStore (KeyStore) (I know a total of 5 kinds, JKS, JCEKS, PKCS12, Bks,uber).
JKS's provider is Sun, which is available in every version of the JDK, and Jceks provider is the sunjce,1.4 we can use directly.
Jceks is stronger at the security level than JKS, and the provider used is Jceks (recommended), especially on the private key in the protection KeyStore (using TripleDES).
PKCS#12 is the public key encryption standard, which stipulates that all private keys, public keys, and certificates can be included. It is stored in binary format, also known as a PFX file, that can be imported directly into the key area in Windows, noting that pkcs#12 's KeyStore protection password is also used to protect key.
BKS from Bouncycastle Provider, which uses tripledes to protect keys in the KeyStore, prevents the certificate store from being accidentally modified (KeyStore's keyentry to get rid of 1 bit errors), BKS can interoperate with JKS, and readers can use Keytool to Trytry.
Uber is more special, when the password is provided through the command line, it can only interact with Keytool. The entire keystore is encrypted via pbe/sha1/twofish, so keystore can be prevented from being misinterpreted, inspected, and validated. Previously, the Sun JDK (the provider for Sun) allowed you to load a keystore directly without providing a password, similar to Cacerts,uber not allowed. Certificate Import
Der/cer Certificate Import:
To import a certificate from a file, use the-import command for the Keytool tool:
Keytool-import-file Mycert.der-keystore Mykeystore.jks
If you specify a keystore that does not exist in the-keystore option, the key warehouse is created.
If you do not specify the-keystore option, the default key warehouse will be a file named. KeyStore in the host directory. If the file does not exist, it will be created.
When you create a keystore, you are required to enter an access password, which you will need to use later to access. You can use the-list command to view the contents of a key warehouse:
Keytool-list-rfc-keystore Mykeystore.jks
P12 Format Certificate import:
Keytool cannot import PKCS12 files directly.
The first approach is to use IE to import the PFX certificate and then export it as a cert format file. Use the method described above to import it into the KeyStore. In this case, the warehouse contains only certificate information, no private key content.
The second method is to import the PFX file into IE browser and then export to a PFX file.
The newly generated PFX cannot be imported into KeyStore, error: Keytool: java.lang.Exception: The input is not a X.509 authentication. The newly generated PFX file can be used as a keystore. But it'll make a mistake. As unknown attr1.3.6.1.4.1.311.17.1, check the data, said IE export will be so, using Netscape will not have this error.
The third method is to