Functions and usage of Java keytool

Source: Internet
Author: User
Tags aliases
Keytool is a security key and certificate management tool. It manages an X.509 certificate chain that stores private keys and verifies the corresponding public keys associated with them. Keystore(Equivalent Database).

Keytool is a valid security key and certificate management tool. it enables users to use digital signatures to manage their own private/public key pairs, manage certificates used for self-identification, and manage data integrity and authentication services. it also enables users to cache their public keys during communication.
A certificate is a digital signature of a certain entity (individual, company, etc.).OthersThe detailed value of the object's public key (or other information. after the data is signed, the signature information is used to verify the integrity and authenticity of the data. integrity index data has not been modified or tampered with, and authenticity index data has been transferred from any party that generates and signs the data.
Keytool stores the key and certificate to a keystore. The keystore is a file which uses a password to protect the key.
Another tool, jarsigner, is used to generate or test the keystore information.JavaThe digital signature in Archive (JAR file.
The keystore has two different portals:
1. key entry: stores very sensitive Encrypted Key Information and stores it in a protected format to prevent unauthorized access. the key stored in this form is a secret key or a private key corresponding to the public key in the certificate chain.
2. trusted certificate entry: contains a single public key certificate for other parts. it is called "trusted Certificate" because the public key in the certificate trusted by the keystore truly belongs to the identity of the certificate owner.
Keystore alias:
All keystore portals (key and trust certificate portals) are accessed through a unique alias. aliases are case-insensitive. For example, aliases Hugo and Hugo point to the same keystore portal.
You can use the-genkey parameter when adding an entry to the keystore to generate a key pair (Public Key and private key) and specify the alias. you can also use the-import parameter to add a certificate or certificate chain to the trusted certificate.
For example:
Keytool-genkey-alias Duke-keypass dukekeypasswd
Duke is the alias and dukekeypasswd is the password of the duke alias. This command is used to generate a new public/private key pair.
If you want to change the password, you can use:
Keytool-keypasswd-alias Duke-keypass dukekeypasswd-New newpass
Change the old password dukekeypasswd to newpass.
Keystore generation:
1. when the-genkey,-import, or-identitydb command is used to add data to a keystore, And the keystore does not exist, a keystore is generated. the default name is. keystore, which is stored in the user-home directory.
2. When-keystore is used, the specified keystore will be generated.
Keystore implementation:
Keytool
The class is located under the java. Security Package and provides a very good interface to obtain and modify information in a keystore.
Currently, there are two command lines: keytool and jarsinger, a GUI tool policy.
The keystore can be implemented. Because the keystore is public, you can use it to write some additional security applications.
Keystore also has an internal implementation provided by Sun. it uses keystore as a file. A keystore type (Format) "jks" is used ". it uses a separate password to protect every private key. different passwords may also be used to protect the integrity of the entire keystore.
Supported algorithms and key sizes:
Keytool allows you to specify the key pair and the signature algorithm provided by the Registry. the default key pair generation algorithm is "DSA ". if the private key is of the "DSA" type, the default signature algorithm is "sha1withdsa". If the private key is of the "RSA" type, the default algorithm is "md5withrsa ".
When a DSA key pair is generated, the key must be between 512-1024 bits. The default key size for any algorithm is 1024 bits.
Certificate:
A certificate is a digital signature of an entity, indicating that the public keys of other entities have clear values.
1. Public Key: it is a digital Association of the same detailed entity, and intends to let all other entities that want to have a trust relationship with this entity know. The public key is used to test the signature;
2. Digital Signature: if the data has been signed and stored in an entity with an identity, a signature can prove that the entity knows the data. The data is signed and submitted using the entity's private key;
3. Identity: Methods for knowing entities. In some systems, identity is a public key. In other systems, it can be anything from the Unix uid of an X.509 email address;
4. Signature: a signature is calculated using the entity private key;
5. private Key: a number. Each private key can only be known by a specific entity that owns the private key. private and public keys exist in key pairs of all systems encrypted with public keys. A public key is encrypted (such as DSA), and a private key communicates with a correct public key. the private key is used to calculate the signature.
6. entity: an entity can be a person, an organization, a program, a computer, a business, a bank, or something else you want to trust.
Keytool application instance:
1. Generate a keystore:
Keytool-genkey-alias user (keystore alias)-keyalg RSA-validity 7-keystore (specified keystore ).
When you run this command, the system prompts:
Enter keystore password: yourpassword (enter the password)
What is your first and last name?
[UNKNOWN]: Your name (enter your name)
What is the name of your organizational unit?
[UNKNOWN]: Your organizational (enter the name of your organization)
What is the name of your organization?
[UNKNOWN]: Your Organization Name (enter the name of your organization)
What is the name of your city or locality?
[UNKNOWN]: Your city name (enter the name of the city)
What is the name of your state or province?
[UNKNOWN]: Your Provice name (enter the name of the Province)
What is the two-letter country code for this unit?
[UNKNOWN]: CN (name of the input country)
Is Cn = your name, Region u = Your organizaion, O = "your organization name ",
L = your city name, St = your province name, c = cn correct?
[No]: Yes
2. Check A keystore:
Keytool-list-v-keystore
Enter keystore password: Your password (enter password)
The keystore content is displayed as follows:
Keystore type: jks
Keystore provider: Sun
Your keystore contains 1 entry
Alias Name: yourname
Creation date: Dec 20,200 1
Entry type: keyentry
Certificate Chain Length: 1
Certificate [1]:
Owner: Cn = yourname, Region u = your organization, O = "your organization name ",
L = your city name, St = your province name, c = Cn
Issuer: Cn = Duke, ō u = Java software, O = "Sun Microsystems, Inc.", L = Palo Alto, St = Ca, c = us
Serial number: 3c22adc1
Valid from: Thu DEC 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1: 5b: 9B: A1: F7: 16: Cf: 25: Cf: F4: FF: 35: 3f: 4C: 9C: F0
Sha1: B2: 00: 50: DD: B6: CC: 35: 66: 21: 45: 0f: 96: AA: AF: 6a: 3D: e4: 03: 7c: 74
3. Output The keystore to a file: testkey:
Keytool-export-alias Duke-keystore-RFC-file testkey
System output:
Enter keystore password: Your password (enter password)
Certificate stored in file <TD>
4. Enter the certificate to a new truststore:
Keytool-import-alias dukecert-file testkey-keystore truststore
Enter keystore password: Your new password. (enter the new truststore password)
5. Check truststore:
Keytool-list-v-keystore truststore
The system displays truststore information.
Now you can use the appropriate keystore to run your application. For example:
Java -djavax.net. SSL. keystore = keystore -djavax.net. SSL. keystorepassword = PASSWORD Server
And: Java -djavax.net. SSL. truststore = truststore

-Djavax.net. SSL. truststorepassword = trustword Client

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.