Java Secure Sockets programming and Keytool use best practices

Overview

With Java JSSE (Java Secure Socket Extension) technology, we can easily write Secure Sockets program, about JSSE introduction, you can see the Oracle Web site provides JSSE guidance. In the process of programming, we need to apply the digital certificate to the code. Usually in the formal product development, we can pay a certain fee to the formal certification bodies, such as: Verisign, GeoTrust, Thawte and other applications.

If it's just for experimentation, we can also use the Keytool tool from Java to make a certificate. Keytool is the key and certificate management tool, the generated key or certificate, stored in a file in the JKs (Java key Store) format. For purposes of use, files in JKS format are often used to:

1 storage of the asymmetric key pair and the certificate Library of the digital certificate;

2 stores the Trust library for the list of trusted certificates.

Note: Different versions of the Java keytool command line parameters may vary slightly. Compared to JAVA6, the Keytool in Java7 has the following changes:

-export option renamed to-exportcert

-genkey option renamed to-genkeypair

-import option renamed to –importcert

-keyclone option is discarded

-identitydb option is discarded

-selfcert option is discarded

The following is an example of Keytool in Java7, where common usage is explained.

Use Keytool to make certificate libraries and trust libraries

Generate asymmetric key and self-issued certificate

Command: Keytool-genkeypair-alias test_root-keystore Test_root.jks

Explanation: Generates a pair of keys and a self-signed certificate in which the private key and certificate are stored in the Test_root.jks file in an alias Test_root.

Note: When using the above command, the command line interaction needs to manually fill in information such as passwords, CN, OU, and so on.

Generate Certificate Request file

Command: Keytool-certreq-file test_server.csr-alias test_server-keystore Test_server.jks

Explanation: Test_server the alias as the public key and some personal information from the Test_server.jks file as the certificate request file.

Issuing certificates

Command: Keytool-gencert-infile test_server.csr-outfile test_server.cer-alias test_root-keystore TEST_ROOT.jks

Explanation: Use the alias as Test_root's private key to issue a certificate for TEST_SERVER.CSR and save it to the Test_server.cer file.

To export a certificate from the JKs file

Command: Keytool-exportcert-alias test_root-file test_root.cer-keystore Test_root.jks

Explanation: Export the alias Test_root certificate from the Test_root.jks file and store it in the Test_root.cer file.

Import Trust certificate to JKS file

Command: Keytool-importcert-alias test_root-file test_root.cer-keystore Test_server.jks

Explanation: Import the certificate test_root.cer into the Test_server.jks with an alias Test_root.

Note: The destination JKs file does not contain the specified alias, and the import entry is saved in the form of a Trustedcertentry trust certificate.

Import issue certificate to jks file (update certificate)

Command: Keytool-importcert-alias test_server-file test_server.cer-keystore Test_server.jks

Explanation: Update the certificate test_server.cer to a Test_server.jks file that already has an alias Test_server

Note: The commands here are exactly the same as those for the Import trust certificate, but they work differently.

1. Here the target JKs file contains the specified alias, so the Keytool tool will understand that the command is an update certificate and is saved in privatekeyentry form.

2. Before updating the issued certificate, be sure to first import the corresponding CA certificate into the JKs file, otherwise it will be an error "Keytool: Java.lang.Exception: Unable to build a chain from the reply."