"keytool -keyalg EC" - Generate EC Key Pair

EC Cryptography Tutorials - Herong's Tutorial Examples

∟"keytool -keyalg EC" - Generate EC Key Pair

This section provides a tutorial example on how to use 'keytool' provided in JDK (Java Development Kit) package to generate EC private-public key pairs using the the 'keytool -genkeypair -keyalg EC' command.

What Is "keytool"? "keytool" is a cryptography tool provided in the JDK (Java Development Kit) package. It allows you to generate private-public key pairs and manage certificates using different technologies, including EC cryptography.

If you have JDK installed on your computer, you can follow this tutorial to generate EC private-public key pairs using the "keytool -genkeypair -keyalg EC" command.

1. Generate an EC private-public key pair and save it in a Keystore file, herong.jks. As you can see from the output, a 256 bit EC key pair is generated from the elliptic curve called "secp256r1". The public key is also packaged in a self-signed certificate.

herong> keytool -genkeypair -keyalg EC -alias 1st_ec -keystore herong.jks

Enter keystore password: HerongJKS
Re-enter new password: HerongJKS

What is your first and last name?
  [Unknown]:  Herong
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US correct?
  [no]:  yes

Generating 256 bit EC (secp256r1) key pair and self-signed certificate
  (SHA256withECDSA) with a validity of 90 days
    for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US

herong> dir

  1,190 herong.jks
  ...   ...

2. List contents in the Keystore file, herong.jks. The output shows 1 PrivateKeyEntry, "1st_ec", which holds the EC private-public key pair and a self-signed certificate.

herong> keytool -list -keystore herong.jks -storepass HerongJKS

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

1st_ec, Jan 1, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 11:04:17:D5:BE:BC:B7:46:D2:B6:...

3. Extract the self-signed certificate into to certificate file, 1st_ec.crt.

herong> keytool -export -alias 1st_ec -file 1st_ec.crt \
   -keystore herong.jks -storepass HerongJKS

herong> dir

  1,190 herong.jks
    499 1st_ec.crt

4. Print summary of the certificate. The output confirms that the public key is a 256-bit EC (secp256r1) key.

herong> keytool -printcert -file 1st_ec.crt

Owner: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US
Issuer: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US
Serial number: c19df5ff30423d7d
Valid from: Jan 1 14:35:36 CST 2022 until: Apr 1 14:35:36 CST 2022
Certificate fingerprints:
   SHA1: 87:96:0A:13:C1:3E:DA:48:AC:9B:25:4E:2B:42:AD:12:C2:3B:40:0C
   SHA256: 11:04:17:D5:BE:BC:B7:46:D2:B6:...
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...
]
]

What you can do this EC private-public key pair in the Keystore file:

Sign any documents with your private key. Share the signed documents with your public key certificate with your friends, so they can verify those signed documents.
Send the public key certificate to your friends, so they can encrypt any documents with your public key. Only you can open those encrypted documents with your private key.
Generate a CSR (Certificate Signing Request) and send it to a CA (Certificate Authority) to issue a certificate for your public key.