Keytool is the security key and certificate management tool. It manages the storage of private keys and a corresponding public key to verify that they are associated with the X.509 certificate chain keystore (the equivalent of a database).
Keytool is a valid security key and certificate management tools. It enables users to manage their own digital signature private / public key pairs used for self-management of the associated certificate identification, management, data integrity and authentication services. It also allows users to communicate with the cache of their public key.
A certificate is an entity (individual, company, etc.) of the digital signature, that other entity's public key (or other information) for more value. When the data is signed, the signature information is used to test data integrity and authenticity. Integrity refers to the data has not been modified and manipulated, authenticity refers to data from the signature of any party to the real production and transmission to arrive.
Keytool keys and certificates stored in a keystore. The realization of any default keystore is a file. It is protected with a password key.
Jarsigner the other with a tool in the information generated keystore or test Java aRchive (jar file) in the digital signature.
Keystore has two different entry:
1. The key entry (PrivateKeyEntry): holds very sensitive cryptographic key information, and is stored in a protected format to prevent unauthorized access. The key is stored in this form of secret keys, or a corresponding certificate chain of public keys private keys.
2. Trusted certificate entry (TrustCertEntry): contains a single belonging to other parts of the public key certificate. It was called "trusted certificate" because the keystore certificate in the trusted public key really belongs to the certificate owner's identity.
All keystore entries (key and trusted certificate entry) through a unique alias (alias) access. Alias is not case sensitive. If the alias haha HaHa and the entrance point to the same keystore.
You can add an entry to the keystore parameter when using the-genkey to generate a key pair (public key (Public Key) and private key (Private Key)) when the specified alias. You can also use the-import parameter to add a certificate or certificate chain to the trust certificates.
keytool-genkey-alias duke-keypass dukekeypasswd
Duke of which is an alias, dukekeypasswd the password for the alias duke. This is the role of the command line to generate a new public / private key pair.
If you want to change the password, you can use:
keytool-keypasswd-alias duke-keypass dukekeypasswd-new newpass
Change the old password dukekeypasswd newpass.
1. When using the-genkey or-import or-identitydb command to add data to a keystore, and when the keystore does not exist, create a keystore. Default name is. Keystore, stored in the user-home directory.
2. When specified with the-keystore, it will produce the specified keystore.
Keystore type in the java.security package, to provide a very good interface to obtain and modify the information in a keystore.
There are two command line: keytool and jarsinger, a GUI tool for Policy can keystore. The keystore is open, the user can use it to write additional security applications.
Keystore provided there is a sun internal implementation. It is the keystore as a file to achieve. Advantage of a keystore type (format) "JKS". It uses a separate password-protected private key for each. Also use password protection may vary the integrity of the keystore.
Supported algorithms and key sizes:
keytool allows users to specify the key to service providers and registered password provided by the signature algorithm. default key pair generation algorithm is "DSA". If the private key is "DSA" type, the default signature algorithm is "SHA1withDSA", if the private the key is "RSA" type, the default algorithm is "MD5withRSA".
When generating a DSA key pair, the key must be between 512-1024 bit. Of any algorithm is the default key size is 1024 bits.
A certificate is an entity of the digital signature public key of other entities that have a clear value.
1. Public key: the same number of associated entities in detail, and intends to place all want to trust with this entity and other entities to know. The public key to verify the signature;
2. Digital Signature: If the data has been signed and stored in an entity with identity, a signature to prove that the entity know the data. This data with the private key to sign and submit an entity;
3. Identity: that physical methods. In some systems the identity is the public key, other systems can be the name from an X.509 e-mail address of the Unix UID to anything;
4. Signature: a signature using the private key used to calculate some of the entities to encrypt data;
5. Private key: a statistic, each private key can only be a specific entity that owns the private key to know. The existence of all private and public key system with public key cryptography key pair. A public key encryption (such as DSA ), a private key with a correct public key to communication. the private key used to calculate the signature.
6. Entities: an entity can be a person, an organization, a program, a computer, a business, a bank, or other things you want to trust.
1. Generate a keystore:
keytool-genkey-alias User (keystore alias)-keyalg RSA-validity 7-keystore keystore (specify keystore).
Run this command, the system prompts:
Enter keystore password: yourpassword (enter password)
What is your first and last name?
[Unknown]: your name (your name)
What is the name of your organizational unit?
[Unknown]: your organizational (where organizational units enter your name)
What is the name of your organization?
[Unknown]: your organization name (enter the name of your organization)
What is the name of your City or Locality?
[Unknown]: your city name (enter city name)
What is the name of your State or Province?
[Unknown]: your provice name (enter the name of the host province)
What is the two-letter country code for this unit?
[Unknown]: cn (enter a country name)
Is CN = your name, OU = your organizaion, O = "your organization name",
L = your city name, ST = your province name, C = cn correct?
2. Check a keystore:
Enter keystore password: your password (the password)
Keystore content will be displayed such as:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: yourname
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Owner: CN = yourname, OU = your organization, O = "your organization name",
L = your city name, ST = your province name, C = CN
Issuer: CN = Duke, OU = Java Software, O = "Sun Microsystems, Inc.", L = Palo Alto, ST = CA, C = US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
MD5: F1: 5B: 9B: A1: F7: 16: CF: 25: CF: F4: FF: 35:3 F: 4C: 9C: F0
SHA1: B2: 00:50: DD: B6: CC: 35:66:21:45:0 F: 96: AA: AF: 6A: 3D: E4: 03:7 C: 74
3. Output keystore to a file: testcert:
keytool-export-alias duke-keystore keystore-rfc-file testcert.cer
Enter keystore password: your password (the password)
Certificate stored in file <td>
4. Enter the certificate into a new truststore:
keytool-import-alias dukecert-file testcert.cer-keystore truststore
Enter keystore password: your new password. (Truststore Enter the new password)
5. Check the truststore:
The system displays the truststore information.
You can now run your keystore with the appropriate application. Such as:
java-Djavax.net.ssl.keyStore = keystore-Djavax.net.ssl.keyStorePassword = password ServerClass
And: java-Djavax.net.ssl.trustStore = truststore
-Djavax.net.ssl.trustStorePassword = trustword Client
6. Print a certificate:
7. Produce a certificate signed application:
keytool-certreq-alias dukecert-keyalg RSA-file dukecertreq.csr-keystore truststore-storepass password_here
This will generate a certificate in the current directory sign application documents: dukecertreq.csr
----- BEGIN NEW CERTIFICATE REQUEST -----
XH20f8DDiJzGaHbcj0o714l1MBjRX + gahNvTzoJLcW9r7DIcmRf2zj0ha7CW34emSXKdkLEryW3i
pBN0CKCvWMProgiy5YhqiheKGZt3zrM + + BqNl8V7RO3UIFYe9lh1JEwwYPSvENBmyf92J2vCUd0C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAITJQp + pxueJ4XdUfsMvWH +5 pZF2wVGmRkUnKmCpp/xn
JH + bka1bUSDRXY0gOMhwn/tfcrriZfW/oHXYao0yBOcGoCLq6Ce/l8BPdkJFHzzQVRlmS2dqUYq1
P9/gDk4lX5HS8mFYQAyahW1p + N1qCdGhD3NCz47BPRZy0qnph2KH
----- END NEW CERTIFICATE REQUEST -----
Dukecertreq.csr submission to the certificate authority, such as VeriSign, the certificate the certification body will verify your identity, and then send one or a bunch of certificates to you.
This article comes from CSDN blog, reproduced, please credit: http://blog.csdn.net/tohmin/archive/2008/12/08/3474633.aspx