Keytool Tools Introduction
Keytool is a tool that Java uses to manage keys and certificates , including the following features:
1 Creating and Managing keys
2 Creating and Managing certificates
3 authorizing a certificate as a CA
4 Importing and exporting certificates
Keytool uses KeyStore to store keys and certificates, which can include private keys and trust certificates;
The KeyStore file uses the JKS format with key storage, where the private key is stored with a separate password;
first, generate the private key
Keytool-genkey-alias Serverkey-keystore Server.keystore
Follow the prompts to enter KeyStore store password, private key password, personal information, and then generate Server.keystore file
Related Parameters
-keyalt RSA uses RSA algorithm (default)-storepass keystore file password-keypass private key password
second, export the certificate
Keytool-export-keystore server.keystore-file Server.cer-alias Serverkey
Iii. Importing Trust Certificates (client use)
Keytool-import-keystore clienttrust.keystore-file Server.cer-alias Servertrust
Iv. viewing keys and certificates
Viewing the server key
Keytool-list-keystore Server.keystore
Output
Keystore type:jkskeystore provider:sunyour Keystore contains 1 entryserverkey, SEP, privatekeyentry,certificate Fingerprint (SHA1): 65:75:c9:08:a0:83:21:a1:d7:8d:da:cd:3d:fb:c2:e0:50:96:29:62
View Clienttrust Keys
Keytool-list-keystore Clienttrust.keystore
Output
Keystore type:jkskeystore provider:sunyour Keystore contains 1 entryservertrust, SEP, trustedcertentry,certific Ate fingerprint (SHA1): 65:75:c9:08:a0:83:21:a1:d7:8d:da:cd:3d:fb:c2:e0:50:96:29:62
Plus-v option to see more details
View certificates
Keytool-printcert-file Server.cer
Output
Owner:cn=zz, Ou=dev, o=pp.com, L=gz, ST=GD, C=cnissuer:cn=zz, Ou=dev, o=pp.com, L=gz, ST=GD, c=cnserial number:797f3140 Valid From:sun Sep 16:43:55 CST Until:sat Dec 16:43:55 CST 2016Certificate fingerprints:md5:fb:7d:29:4c:a9:f 3:07:0e:cc:74:0d:9b:d4:d6:4d:91sha1:65:75:c9:08:a0:83:21:a1:d7:8d:da:cd:3d:fb:c2:e0:50:96:29:62sha256:e9:8b:a5 : 43:5f:40:fa:c5:64:3b:0a:11:1d:be:d1:07:3c:a1:e2:50:88:71:a7:5c:ec:43:22:98:1b:aa:b6:ebsignature algorithm Name: Sha1withdsaversion:3extensions: #1: objectid:2.5.29.14 criticality=falsesubjectkeyidentifier [KeyIdentifier [0000: 0E C3 D3 3 a 3C B7 D9 C4 BD 8E E7 6C EC. B.u:<.....c.l.0010:af 8A 29 72..) R]]
Five conversion commands
Turn JKS format to PKCS
Keytool-importkeystore-srckeystore me.keystore-destkeystore me.p12-srcalias Me-destalias me-srcstoretype jks-destst Oretype PKCS12
FAQ
* * Keytool General format is JKS, how do I get the private key? **
Answer: Read the output through the program;
* * How do I convert a jks file to a PEM file for an nginx server? **
A: Usually the JKs file already contains the private key, certificate, CA certificate information, you can convert JKS to PKCS format via Keytool, and then the conversion is extracted via OpenSSL:
Extract privatekey-nodes indication output no encrypted PEM file OpenSSL pkcs12-in me.p12-nodes-nocerts-out me.key extract certificate OpenSSL pkcs12-in Me.p12-nod Es-nokeys-clcerts-out ME.CRT Extract CA certificate (empty if self-signed) OpenSSL pkcs12-in me.p12-nodes-nokeys-cacerts-out ca.crt
Generate a certificate using Keytool