Migrating Keys from 'keytool' to 'OpenSSL'
Part:
1
2
3
4
(Continued from previous part...)
"keytool" Exporting PrivateKeyEntry
After generating my key pair with the "keytool -genkeypair" command,
I got a PrivateKeyEntry inside the keystore file, herong.jks.
So I tried to export it using the "keytool -exportcert" command
as shown in the following command session:
>keytool -exportcert -alias herong_key -keypass keypass
-keystore herong.jks -storepass jkspass -file herong.crt
-rfc
Certificate stored in file <herong.crt>
>type herong.crt
-----BEGIN CERTIFICATE-----
MIIDODCCAvagAwIBAgIERqplETALBgcqhkjOOAQDBQAwfzELMAkGA1UE...
...
Cgfs2kXj/IQCFDC5GT5IrLTIFxAyPUo1tJo2DPkK
-----END CERTIFICATE-----
Cool. A certificate was exported.
I am not going to explain all the command options used above, because they were explained
in previous chapters. But I want to mention this "-rfc" option:
- "-rfc" tells "keytool" to write the output certificate in "Base 64 encoding" form
described in "RFC 1421 Certificate Encoding Standard".
Without "-rfc" option, "keytool" will output certificate in a binary form, which will
be very harder to transfer.
I got this certificate exported from the PrivateKeyEntry of my key pair.
What what is in this certificate? I will try to use "keytool -printcert" command
to look into this certificate in the next section.
"keytool" Printing Certificate Details
With the "keytool -exportcert" command, I got a certificate, herong.crt, exported
from the PrivateKeyEntry of my key pair. Now I want see some details of this
certificate with the "keytool -printcert" command as shown below:
>keytool -printcert -file herong.crt
Owner: CN=Herong Yang, OU=Herong Unit, O=Herong Company,
L=Herong City, ST=Herong State, C=CA
Issuer: CN=Herong Yang, OU=Herong Unit, O=Herong Company,
L=Herong City, ST=Herong State, C=CA
Serial number: 46aa6511
Valid from: Sun Apr 1 17:35:13 EDT 2007
until: Sat Jun 30 17:35:13 EDT 2007
Certificate fingerprints:
MD5: 0C:54:AE:99:4E:3D:F7:A9:79:1A:93:83:0F:EF...
SHA1: CA:23:1C:D4:F9:74:84:4C:16:F7:E7:AB:B1:08...
Signature algorithm name: SHA1withDSA
Version: 3
OK. Now I know that:
- This certificate, herong.crt, is a self-signed certificate of my public key.
- The certificate is valid for 90 days only.
- Command "keytool -exportcert" will not export the key pair itself.
- What I said earlier about "keytool can not be used to generate self-signed certificate" was wrong.
After this test, I read the Java manual again. It explains what exactly "keytool -genkeypair"
does clearly: "Generates a key pair (a public key and associated private key).
Wraps the public key into an X.509 v3 self-signed certificate,
which is stored as a single-element certificate chain.
This certificate chain and the private key are stored in a new keystore entry identified by alias."
So the "PrivateKeyEntry" in the keystore file has two components: my key pair and my self-signed
public key certificate.
The "keytool -exportcert" command only exports the self-signed certificate. The key pair will not be exported.
The next question is that could this certificate generated by "keytool" be viewed by "OpenSSL"?
See the next section for answers.
"OpenSSL" Viewing "keytool" Generated Certificates
From previous section, I got my self-signed certificate generated by "keytool".
The certificate is stored in RFC 1421 format.
Now I want to try to view this certificate with "OpenSSL x509" command
as shown below:
>openssl x509 -in herong.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1185572113 (0x46aa6511)
Signature Algorithm: dsaWithSHA1
Issuer: C=CA, ST=Herong State, L=Herong City,
O=Herong Company, OU=Herong Unit, CN=Herong Yang
Validity
Not Before: Apr 1 21:35:13 2007 GMT
Not After : Jun 30 21:35:13 2007 GMT
Subject: C=CA, ST=Herong State, L=Herong City,
O=Herong Company, OU=Herong Unit, CN=Herong Yang
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
00:b0:61:2b:c1:88:0e:19:66:58:37:b5:...
...
P:
00:fd:7f:53:81:1d:75:12:29:52:df:4a:...
...
Q:
00:97:60:50:8f:15:23:0b:cc:b2:92:b9:...
...
G:
00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:...
...
Signature Algorithm: dsaWithSHA1
30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0...
...
What I learned from this test:
- Certificates generated by "keytool" are compatible with "OpenSSL".
- "openssl x509" is provides much more certificate details than "keytool -printcert" command.
- "keytool -genkeypair" uses DSA algorithm as the default to generated the private key and public key pair.
(Continued on next part...)
Part:
1
2
3
4
|