Keytool is a security key and certificate management tool. It manages a key store (equivalent to a database) that stores private keys and verifies the corresponding public keys associated with them ). |
Keytool is a valid security key and certificate management tool. it enables users to use digital signatures to manage their own private/public key pairs, manage certificates used for self-identification, and manage data integrity and authentication services. it also enables users to cache their public keys during communication. |
A certificate is a digital signature of an entity (individual, company, etc.), indicating the detailed value of the public key (or other information) of another entity. after the data is signed, the signature information is used to verify the integrity and authenticity of the data. integrity index data has not been modified or tampered with, and authenticity index data has been transferred from any party that generates and signs the data. |
Keytool stores the key and certificate to a keystore. The keystore is a file which uses a password to protect the key. |
Another tool, jarsigner, uses the information in the keystore to generate or test the digital signature in the Java archive (JAR file. |
The keystore has two different portals: |
1. key entry: stores very sensitive Encrypted Key Information and stores it in a protected format to prevent unauthorized access. the key stored in this form is a secret key or a private key corresponding to the public key in the certificate chain. |
2. trusted certificate entry: contains a single public key certificate for other parts. it is called "trusted Certificate" because the public key in the certificate trusted by the keystore truly belongs to the identity of the certificate owner. |
All keystore portals (key and trust certificate portals) are accessed through a unique alias. aliases are case-insensitive. For example, aliases Hugo and Hugo point to the same keystore portal. |
You can use the-genkey parameter when adding an entry to the keystore to generate a key pair (Public Key and private key) and specify the alias. you can also use the-import parameter to add a certificate or certificate chain to the trusted certificate. |
Keytool-genkey-alias Duke-keypass dukekeypasswd |
Duke is the alias and dukekeypasswd is the password of the duke alias. This command is used to generate a new public/private key pair. |
If you want to change the password, you can use: |
Keytool-keypasswd-alias Duke-keypass dukekeypasswd-New newpass |
Change the old password dukekeypasswd to newpass. |
1. when the-genkey,-import, or-identitydb command is used to add data to a keystore, And the keystore does not exist, a keystore is generated. the default name is. keystore, which is stored in the user-home directory. |
2. When-keystore is used, the specified keystore will be generated. |
The keytool class is located in Java. under the security package, a very good interface is provided to obtain and modify information in a keystore. currently, there are two command lines: keytool and jarsinger. a gui tool policy can implement keystore. because the keystore is public, you can use it to write additional security applications. |
Keystore also has an internal implementation provided by Sun. it uses keystore as a file. A keystore type (Format) "jks" is used ". it uses a separate password to protect every private key. different passwords may also be used to protect the integrity of the entire keystore. |
Supported algorithms and key sizes: |
Keytool allows you to specify the key pair and the signature algorithm provided by the Registry. the default key pair generation algorithm is "DSA ". if the private key is of the "DSA" type, the default signature algorithm is "sha1withdsa". If the private key is of the "RSA" type, the default algorithm is "md5withrsa ". |
When a DSA key pair is generated, the key must be between 512-1024 bits. The default key size for any algorithm is 1024 bits. |
A certificate is a digital signature of an entity, indicating that the public keys of other entities have clear values. |
1. Public Key: it is a digital Association of the same detailed entity, and intends to let all other entities that want to have a trust relationship with this entity know. The public key is used to test the signature; |
2. Digital Signature: if the data has been signed and stored in an entity with an identity, a signature can prove that the entity knows the data. The data is signed and submitted using the entity's private key; |
3. Identity: Methods for knowing entities. In some systems, identity is a public key. In other systems, it can be anything from the Unix uid of an X.509 email address; |
4. Signature: a signature is calculated using the entity private key; |
5. private Key: a number. Each private key can only be known by a specific entity that owns the private key. private and public keys exist in key pairs of all systems encrypted with public keys. A public key is encrypted (such as DSA), and a private key communicates with a correct public key. the private key is used to calculate the signature. |
6. entity: an entity can be a person, an organization, a program, a computer, a business, a bank, or something else you want to trust. |
Keytool application instance: |
Keytool-genkey-alias user (keystore alias)-keyalg RSA-validity 7-keystore (specified keystore ). |
When you run this command, the system prompts: |
Enter keystore password: yourpassword (enter the password) |
What is your first and last name? |
[UNKNOWN]: Your name (enter your name) |
What is the name of your organizational unit? |
[UNKNOWN]: Your organizational (enter the name of your organization) |
What is the name of your organization? |
[UNKNOWN]: Your Organization Name (enter the name of your organization) |
What is the name of your city or locality? |
[UNKNOWN]: Your city name (enter the name of the city) |
What is the name of your state or province? |
[UNKNOWN]: Your Provice name (enter the name of the Province) |
What is the two-letter country code for this unit? |
[UNKNOWN]: CN (name of the input country) |
Is Cn = your name, ou = Your organizaion, O = "your organization name ", |
L = your city name, St = your province name, c = cn correct? |
Enter keystore password: Your password (enter password) |
The keystore content is displayed as follows: |
Your keystore contains 1 entry |
Creation date: Dec 20,200 1 |
Certificate Chain Length: 1 |
Owner: Cn = yourname, ou = your organization, O = "your organization name ", |
L = your city name, St = your province name, c = Cn |
Issuer: Cn = Duke, ou = Java software, O = "Sun Microsystems, Inc.", L = Palo Alto, St = Ca, c = us |
Valid from: Thu DEC 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001 |
Certificate fingerprints: |
MD5: F1: 5b: 9B: A1: F7: 16: Cf: 25: Cf: F4: FF: 35: 3f: 4C: 9C: F0 |
Sha1: B2: 00: 50: DD: B6: CC: 35: 66: 21: 45: 0f: 96: AA: AF: 6a: 3D: e4: 03: 7c: 74 |
3. Output The keystore to a file: testkey: |
Keytool-export-alias Duke-keystore-RFC-file testkey |
Enter keystore password: Your password (enter password) |
Certificate stored in file |
4. Enter the certificate to a new truststore: |
Keytool-import-alias dukecert-file testkey-keystore truststore |
Enter keystore password: Your new password. (enter the new truststore password) |
Keytool-list-v-keystore truststore |
The system displays truststore information. |
Now you can use the appropriate keystore to run your application. For example: |
Java -djavax.net. SSL. keystore = keystore -djavax.net. SSL. keystorepassword = PASSWORD Server |
And: Java -djavax.net. SSL. truststore = truststore |
-Djavax.net. SSL. truststorepassword = trustword Client |
|