The role of Java keytool and how to use tools

2010-12-13  来源:本站原创  分类:Java  人气:131 

Keytool is the security key and certificate management tool. It manages the storage of private keys and a corresponding public key to verify that they are associated with the X.509 certificate chain keystore (the equivalent of a database).
Keytool is a valid security key and certificate management tools. It enables users to manage their own digital signature private / public key pairs used for self-management of the associated certificate identification, management, data integrity and authentication services. It also allows users to communicate with the cache of their public key.
A certificate is an entity (individual, company, etc.) of the digital signature, that other entity's public key (or other information) for more value. When the data is signed, the signature information is used to test data integrity and authenticity. Integrity refers to the data has not been modified and manipulated, authenticity refers to data from the signature of any party to the real production and transmission to arrive.
Keytool keys and certificates stored in a keystore. The realization of any default keystore is a file. It is protected with a password key.
Jarsigner the other with a tool in the information generated keystore or test Java aRchive (jar file) in the digital signature.
Keystore has two different entry:
1. The key entry (PrivateKeyEntry): holds very sensitive cryptographic key information, and is stored in a protected format to prevent unauthorized access. The key is stored in this form of secret keys, or a corresponding certificate chain of public keys private keys.
2. Trusted certificate entry (TrustCertEntry): contains a single belonging to other parts of the public key certificate. It was called "trusted certificate" because the keystore certificate in the trusted public key really belongs to the certificate owner's identity.
Keystore alias:
All keystore entries (key and trusted certificate entry) through a unique alias (alias) access. Alias is not case sensitive. If the alias haha HaHa and the entrance point to the same keystore.
You can add an entry to the keystore parameter when using the-genkey to generate a key pair (public key (Public Key) and private key (Private Key)) when the specified alias. You can also use the-import parameter to add a certificate or certificate chain to the trust certificates.
Such as:
keytool-genkey-alias duke-keypass dukekeypasswd
Duke of which is an alias, dukekeypasswd the password for the alias duke. This is the role of the command line to generate a new public / private key pair.
If you want to change the password, you can use:
keytool-keypasswd-alias duke-keypass dukekeypasswd-new newpass
Change the old password dukekeypasswd newpass.

Keystore generation:
1. When using the-genkey or-import or-identitydb command to add data to a keystore, and when the keystore does not exist, create a keystore. Default name is. Keystore, stored in the user-home directory.
2. When specified with the-keystore, it will produce the specified keystore.
Keystore implementation:
Keystore type in the java.security package, to provide a very good interface to obtain and modify the information in a keystore.

There are two command line: keytool and jarsinger, a GUI tool for Policy can keystore. The keystore is open, the user can use it to write additional security applications.

Keystore provided there is a sun internal implementation. It is the keystore as a file to achieve. Advantage of a keystore type (format) "JKS". It uses a separate password-protected private key for each. Also use password protection may vary the integrity of the keystore.
Supported algorithms and key sizes:
keytool allows users to specify the key to service providers and registered password provided by the signature algorithm. default key pair generation algorithm is "DSA". If the private key is "DSA" type, the default signature algorithm is "SHA1withDSA", if the private the key is "RSA" type, the default algorithm is "MD5withRSA".
When generating a DSA key pair, the key must be between 512-1024 bit. Of any algorithm is the default key size is 1024 bits.

Certificate:
A certificate is an entity of the digital signature public key of other entities that have a clear value.
1. Public key: the same number of associated entities in detail, and intends to place all want to trust with this entity and other entities to know. The public key to verify the signature;
2. Digital Signature: If the data has been signed and stored in an entity with identity, a signature to prove that the entity know the data. This data with the private key to sign and submit an entity;
3. Identity: that physical methods. In some systems the identity is the public key, other systems can be the name from an X.509 e-mail address of the Unix UID to anything;
4. Signature: a signature using the private key used to calculate some of the entities to encrypt data;
5. Private key: a statistic, each private key can only be a specific entity that owns the private key to know. The existence of all private and public key system with public key cryptography key pair. A public key encryption (such as DSA ), a private key with a correct public key to communication. the private key used to calculate the signature.
6. Entities: an entity can be a person, an organization, a program, a computer, a business, a bank, or other things you want to trust.

Keytool examples:
1. Generate a keystore:
keytool-genkey-alias User (keystore alias)-keyalg RSA-validity 7-keystore keystore (specify keystore).
Run this command, the system prompts:
Enter keystore password: yourpassword (enter password)
What is your first and last name?
[Unknown]: your name (your name)
What is the name of your organizational unit?
[Unknown]: your organizational (where organizational units enter your name)
What is the name of your organization?
[Unknown]: your organization name (enter the name of your organization)
What is the name of your City or Locality?
[Unknown]: your city name (enter city name)
What is the name of your State or Province?
[Unknown]: your provice name (enter the name of the host province)
What is the two-letter country code for this unit?
[Unknown]: cn (enter a country name)
Is CN = your name, OU = your organizaion, O = "your organization name",
L = your city name, ST = your province name, C = cn correct?
[No]: yes

2. Check a keystore:
keytool-list-v-keystore keystore
Enter keystore password: your password (the password)
Keystore content will be displayed such as:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: yourname
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Certificate [1]:
Owner: CN = yourname, OU = your organization, O = "your organization name",
L = your city name, ST = your province name, C = CN
Issuer: CN = Duke, OU = Java Software, O = "Sun Microsystems, Inc.", L = Palo Alto, ST = CA, C = US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1: 5B: 9B: A1: F7: 16: CF: 25: CF: F4: FF: 35:3 F: 4C: 9C: F0
SHA1: B2: 00:50: DD: B6: CC: 35:66:21:45:0 F: 96: AA: AF: 6A: 3D: E4: 03:7 C: 74
3. Output keystore to a file: testcert:
keytool-export-alias duke-keystore keystore-rfc-file testcert.cer
System output:
Enter keystore password: your password (the password)
Certificate stored in file <td>
4. Enter the certificate into a new truststore:
keytool-import-alias dukecert-file testcert.cer-keystore truststore
Enter keystore password: your new password. (Truststore Enter the new password)

5. Check the truststore:
keytool-list-v-keystore truststore
The system displays the truststore information.
You can now run your keystore with the appropriate application. Such as:
java-Djavax.net.ssl.keyStore = keystore-Djavax.net.ssl.keyStorePassword = password ServerClass
And: java-Djavax.net.ssl.trustStore = truststore
-Djavax.net.ssl.trustStorePassword = trustword Client

6. Print a certificate:

keytool-printcert-v-file testcert.cer

7. Produce a certificate signed application:

keytool-certreq-alias dukecert-keyalg RSA-file dukecertreq.csr-keystore truststore-storepass password_here

This will generate a certificate in the current directory sign application documents: dukecertreq.csr

************************************************** *********************************

----- BEGIN NEW CERTIFICATE REQUEST -----
MIIBsjCCARsCAQAwcjELMAkGA1UEBhMCTVkxCzAJBgNVBAgTAktMMQswCQYDVQQHEwJLTDEXMBUG
A1UEChMOSVBGUmVtb3RlQWdlbnQxFzAVBgNVBAsTDklQRlJlbW90ZUFnZW50MRcwFQYDVQQDEw5J
UEZSZW1vdGVBZ2VudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkYR2T6Uuum0pJy7BnNjN
XH20f8DDiJzGaHbcj0o714l1MBjRX + gahNvTzoJLcW9r7DIcmRf2zj0ha7CW34emSXKdkLEryW3i
pBN0CKCvWMProgiy5YhqiheKGZt3zrM + + BqNl8V7RO3UIFYe9lh1JEwwYPSvENBmyf92J2vCUd0C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAITJQp + pxueJ4XdUfsMvWH +5 pZF2wVGmRkUnKmCpp/xn
JH + bka1bUSDRXY0gOMhwn/tfcrriZfW/oHXYao0yBOcGoCLq6Ce/l8BPdkJFHzzQVRlmS2dqUYq1
P9/gDk4lX5HS8mFYQAyahW1p + N1qCdGhD3NCz47BPRZy0qnph2KH
----- END NEW CERTIFICATE REQUEST -----

************************************************** *********************************

Dukecertreq.csr submission to the certificate authority, such as VeriSign, the certificate the certification body will verify your identity, and then send one or a bunch of certificates to you.

This article comes from CSDN blog, reproduced, please credit: http://blog.csdn.net/tohmin/archive/2008/12/08/3474633.aspx

相关文章
  • The role of Java keytool and how to use tools 2010-12-13

    Keytool is the security key and certificate management tool. It manages the storage of private keys and a corresponding public key to verify that they are associated with the X.509 certificate chain keystore (the equivalent of a database). Keytool is

  • The role of java in the static 2010-07-21

    The role of java in the static Sometimes you want to define a class member, use it completely independent of any object class. Typically, class members must pass its class object access, but can create such a member, it can be its own use, without re

  • Creating Keys Using Java Keytool 2012-11-08

    The Java keytool application manages a database of keys and certificates.Users can create their own self-authenticated certificates and public/private key pairs. 1.Create A Pair Of Keys In the open terminal/command window, type: keytool –genkey –alia

  • Most common Java keytool commands 2014-05-21

    Java Keytool Commands for Creating and Importing These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary

  • java.lang.NoClassDefFoundError: org / aspectj / weaver / tools / PointcutPrimitive 2009-07-28

    Starting time Baocuo jpetstore java.lang.NoClassDefFoundError: org / aspectj / weaver / tools / PointcutPrimitive Reason: failed to introduce AspectJ's jar package aspectjweaver.jar

  • [Change] Java keytool tool function and use 2010-09-01

    Keytool is safe keys and certificate management tool. It manages a storage of private keys and corresponding public key authentication and their associated X.509 certificate chains keystore (equivalent to a database). Keytool yes an effective securit

  • The role of java thread 2009-02-21

    This is a very classic javaeye posts on the thread and write a very user-friendly, suitable for students of any reading of the computer. Thread Synchronization We can run on a computer a variety of computer software programs. Each running program may

  • Java keytool security certificate study (reproduced) 2010-04-02

    keytool generated certificate Verify that the certificate has been created had the same name keytool-list-v-alias tomcat-keystore "% JAVA_HOME% / JRE / LIB / SECURITY / CACERTS"-storepass changeit Remove the certificate has been created keytool-

  • The role of Java interfaces and abstract classes of different 2010-05-27

    May be frequently asked in the interview, the interface for? Relative to the class, why did we need the class implement the interface and so these problems. If you do not think about it, and sometimes even get stuck. This article will briefly explain

  • java keytool usage of digital certificates 2010-08-17

    Java in keytool.exe (in JDK \ Bin directory) can be used to create digital certificates, all of the digital certificate is a one (using the alias difference) in the form of bank deposit certificates, the certificate database that contains a certifica

  • java keytool 使用总结(转) 2012-06-19

    Keytool是一个Java数据证书的管理工具 ,Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中在keystore里,包含两种数据: 密钥实体(Key entity)--密钥(secret key)又或者是私钥和配对公钥(采用非对称加密) 可信任的证书实体(trusted certificate entries)--只包含公钥 ailas(别名)每个keystore都关联这一个独一无二的alias,这个alias通常不区分大小写 JDK中ke

  • java keytool支持的类型及如何将证书导入jks中 2013-09-25

    简介 Java自带的keytool工具是个密钥和证书管理工具.它使用户能够管理自己的公钥/私钥对及相关证书,用于(通过数字签名)自我认证(用户向别的用户/服务认证自己)或数据完整性以及认证服务.它还允许用户储存他们的通信对等者的公钥(以证书形式). keytool 将密钥和证书储存在一个所谓的密钥仓库(keystore)中.缺省的密钥仓库实现将密钥仓库实现为一个文件.它用口令来保护私钥. Java KeyStore的类型 JKS和JCEKS是Java密钥库(KeyStore)的两种比较常见类型(

  • Java keytool 安全证书学习笔记 2014-04-15

    背景知识:非对称加密算法.公钥(public key)和私钥(private key) Keytool是一个Java数据证书的管理工具. keystore Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中 在keystore里,包含两种数据: 密钥实体(Key entity)--密钥(secret key)又或者是私钥和配对公钥(采用非对称加密) 可信任的证书实体(trusted certificate entries)--只包含公钥 Alia

  • Summary of Java open source BI suite of tools 2010-08-06

    Many commercial BI suite, the same, quite a few open source BI suite, but we do not share, so many of the best BI suite has not been used. The following summary of the open source BI suite, the main function of concentration in the OLAP multidimensio

  • Object using the Java reflection mechanism to access the tools 2010-04-22

    Need to use in a project to access the object using reflection, then wrote a utility class ObjectAccessor, the main purpose is to facilitate access to Java objects by reflection: 1. Access to member variables, values, and assignment 2. Use the constr

  • JAVA Web Project Server performance monitoring tools JavaMelody 2010-11-28

    A recent project, need to monitor the situation to the server performance. On the Internet for a bit. Found a very good open source project, it is very simple and easy to use, access to information is very comprehensive. Now I do not impress a Demo f

  • An essential reference resource list of Java 2009-03-04

    Since the Java platform since 1995 as a whole began to introduce programming community, and its development has gone far beyond the early Java experts and those who promote the idea of "applet ubiquitous" of that vision. In contrast, Java emerge

  • Java factory pattern 2010-03-29

    Java factory pattern Java factory pattern seen so much talk on the factory pattern, or think that a good understanding of the article stresses, sticking out to share to share. 1, primers Said that ten years ago, there was a **** family, his family ha

  • Fourteen common Java development tools, and its characteristics (transfer) 2010-03-29

    1, JDK (Java Development Kit) Java Development Kit From the novice point of view, using JDK develop Java programs can quickly understand the program, the relationship between the various parts of the code will help to understand Java object-oriented

  • Software architecture (java in a common software architecture) 2010-03-24

    What is software architecture? Software architecture as a concept, embodied in the technical and operational aspects. From a technical point of view: software architecture as technology innovations continue to update its content, software architectur