Keystore, digital certificate, digital certificate file, private key, public key introduction

Source: Internet
Author: User
Tags aliases rfc


Keytool is an effective security key and certificate management tool. The
Keytool.exe (located in the Jdk\bin directory) in Java can be used to create a digital certificate, and all digital certificates are stored in a certificate library in a single article (distinguished by Alias), and a certificate in the certificate store contains the private key of the certificate. The public key and the corresponding digital certificate information. A certificate in the certificate store can export a digital certificate file, and the digital certificate file includes only the principal information and the corresponding public key.
Keytool Store the keys and certificates in a keystore. The implementation of Mezhin KeyStore is a file. It protects the key with a password .

(2) Several concepts about certificates:
A certificate is a digital signature of an entity and also contains the public key value of the entity.
Public key: is a numerical association of a detailed entity and is intended to be known to all other entities that want to have a trust relationship with this entity. The public key is used to verify the signature;
Digital signature: Is the data after the entity information is signed (encrypted) with the entity's private key. This data can be used to verify the identity of the entity by using the public key of the entity to check the signature (decryption) of the entity information;
Signature: Encrypts certain messages with the entity private key to obtain encrypted data;
Private key: Is some number, private and public key exists in the key pair of all the systems encrypted with the public key. The public key is used to encrypt the data, and the private key is used to calculate the signature. Public key encrypted messages can only be decrypted with private keys, and private key signatures can only be verified with public keys.
Entity: An entity can be a person, an organization, a program, a computer, a business, a bank, or anything else you want to trust.
In fact, we have generated a self-signed certificate with the command in [1], and none of the specified parameters are using the default value.
We can also generate a self-signed certificate with the following command:
Keytool-genkey-dname "CN=FINGKI,OU=SERVER,O=SERVER,L=BJ,ST=BJ,C=CN"-alias myca-keyalg rsa-keysize 1024-keystore MyC Alib-keypass 654321-storepass 123456-validity 3650
This command generates a self-signed certificate with an alias of Myca, the keypair password for the certificate is 654321, and the entity information in the certificate is "CN=FINGKI,OU=SERVER,O=SERVER,L=BJ,ST=BJ,C=CN". stored in the KeyStore named Mycalib (if one is not automatically generated), this keystore has a password of 123456, and the key pair produces an algorithm that is specified as RSA and is valid for 10 years.

Detailed analysis is as follows:
Aliases for KeyStore:
All KeyStore entrances (keys and trust certificate entries) are accessed through unique aliases. Aliases are case-insensitive. such as the alias Hugo and
Hugo points to the same keystore entrance.
You can use the-genkey parameter to generate a key pair (public key and private key) when you add an entry to KeyStore.
Name. You can also use the-import parameter to add a certificate or certificate chain to a trusted certificate.
Such as:
Keytool-genkey-alias Duke-keypass dukekeypasswd
where Duke is the alias and DUKEKEYPASSWD is the Duke alias password. This line of command is to generate a new public/private key pair.
If you want to change your password, you can use:
Keytool-keypasswd-alias Duke-keypass dukekeypasswd-new Newpass
Change the old password dukekeypasswd to Newpass.
The specified KeyStore is generated when the name can be specified with-keystore.
Check for a keystore:
Keytool-list-v-keystore KeyStore
Enter KeyStore password:your password (enter password)
3. Output KeyStore to a file: TestKey:
Keytool-export-alias Duke-keystore Keystore-rfc-file TestKey
System output:
Enter KeyStore password:your password (enter password)
Certificate stored in file
Example: Keytool-export-keystore monitor.keystore-alias monitor-file Monitor.cer
The certificate that is alias Monitor in certificate store Monitor.keystore is exported to the Monitor.cer certificate file, which contains the information of the certificate principal and the public key of the certificate, excluding the private key, which can be made public.
4. Enter the certificate into a new truststore:
Keytool-import-alias dukecert-file Testkey-keystore Truststore
Enter keystore password:your New password. (Enter truststore new password)
Import the KeyStore into the certificate here to the Java default certificate cacerts imported Rapa.cert
Keytool-import-alias Rapaserver-keystore cacerts-file Rapa.cert-keystore cacerts
5. Deletion of certificate entries
Keytool command-line arguments-delete can delete entries in the KeyStore, such as: Keytool-delete-alias rapaserver-keystore d2aapplet.keystore, this command will D2aapplet.keystore in the Rapaserver this certificate was removed.

7. Export the certificate to a certificate file
Keytool-export-alias myca-file Myca.cer-keystore Mycalib-storepass 123456-RFC
Use this command to export the certificate with the alias Myca to the certificate file Myca.cer from the keystore named Mycalib. (where-storepass specifies the keystore password,-RFC specifies that the output can be omitted by viewing the encoding).
8. View certificate information through a certificate file
Keytool-printcert-file Myca.cer
9, modification of the certificate entry password in the KeyStore
Keytool-keypasswd-alias myca-keypass 654321-new newpass-storepass 123456-keystore MyCALib
10. Delete the certificate entry in the KeyStore
Keytool-delete-alias Myca-keystore Mycalib
11. Import a certificate file into the specified KeyStore
Keytool-import-alias myca-file Myca.cer-keystore Truststore
(If there is no KeyStore named Truststore, it will be created automatically and will prompt for KeyStore password)
12. Change the KeyStore password
Keytool-storepasswd-new 123456-storepass 789012-keystore Truststore
Where-storepass specifies the original password,-new specifies the new password.
Own instance
(1) Summary of usage:
KeyStore like a database. For each operation, specify the KeyStore name and password, and the object alias for the operation, such as:
..... -alias Aaa-keystore Jserver.keystore-storepass 123456
General format of Operation:
Keytool + operation Type [-genkey,-list-v,-printcert-file,-import-flie,-export-file,-delete,-
Keypasswd-new,-storepasswd-new] + plus the above format.
(2) Example
C:\keytool>keytool-genkey-alias Jason-keystore Jserver.keystore-keyalg RSA
Enter KeyStore Password: 1234
Keystore password is too short-must be at least 6 characters
Enter KeyStore Password: 123456
What is your first and last name?
[Unknown]: Huang
What is the name of your organizational unit.
[Unknown]: Access
What your organization's name is.
[Unknown]: Access
What is the name of your city or region?
[Unknown]: SZ
What is the name of the state or province in which you are located.
[Unknown]: GD
What is the two-letter country code for this unit?
[Unknown]: China
Cn=huang, Ou=access, o=access, L=sz, ST=GD, C=china right.
[No]: Y
Enter the master password
(If same as KeyStore password, press ENTER): 74123
Master password is too short-must be at least 6 characters
Enter the master password
(If same as KeyStore password, press ENTER): 456789
C:\keytool>keytool-list-v-keystore Jserver.keystore
Enter KeyStore Password: 123456
Keystore Type: JKS
Keystore by: SUN
Your keystore contains 1 inputs
Alias Name: Jason
Date Created: 2009-6-24
INPUT type: keyentry
Certification Chain Length: 1
Certification [1]:
Owner:cn=huang, Ou=access, o=access, L=sz, ST=GD, C=china
Issued by: Cn=huang, Ou=access, o=access, L=sz, ST=GD, C=china
Sequence Number: 4a40fd0f
Active period: Wed June 00:04:31 CST 2009 to: Tue Sep 00:04:31 CST 2009
Certified Fingerprint:

C:\keytool>keytool-export-alias Jason-keystore Jserver.keystore-rfc-file Jasonfile
Enter KeyStore Password: 123456
Certificates saved in a file
C:\keytool>keytool-export-alias Jason-keystore Jserver.keystore-storepass 123456-rfc-f
Ile Jasonfile2
Certificates saved in a file
C:\keytool>keytool-export-alias Jason-keystore Jserver.keystore-storepass 123456-rfc-f
Ile Jasonfile.cer
Certificates saved in a file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.