Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

Migrating Keys from 'keytool' to 'OpenSSL'

Part:   1  2  3  4 

(Continued from previous part...)

"keytool" Exporting PrivateKeyEntry

After generating my key pair with the "keytool -genkeypair" command, I got a PrivateKeyEntry inside the keystore file, herong.jks. So I tried to export it using the "keytool -exportcert" command as shown in the following command session:

>keytool -exportcert -alias herong_key -keypass keypass 
-keystore herong.jks -storepass jkspass -file herong.crt
-rfc

Certificate stored in file <herong.crt>

>type herong.crt
-----BEGIN CERTIFICATE-----
MIIDODCCAvagAwIBAgIERqplETALBgcqhkjOOAQDBQAwfzELMAkGA1UE...
...
Cgfs2kXj/IQCFDC5GT5IrLTIFxAyPUo1tJo2DPkK
-----END CERTIFICATE-----

Cool. A certificate was exported. I am not going to explain all the command options used above, because they were explained in previous chapters. But I want to mention this "-rfc" option:

  • "-rfc" tells "keytool" to write the output certificate in "Base 64 encoding" form described in "RFC 1421 Certificate Encoding Standard".

Without "-rfc" option, "keytool" will output certificate in a binary form, which will be very harder to transfer.

I got this certificate exported from the PrivateKeyEntry of my key pair. What what is in this certificate? I will try to use "keytool -printcert" command to look into this certificate in the next section.

"keytool" Printing Certificate Details

With the "keytool -exportcert" command, I got a certificate, herong.crt, exported from the PrivateKeyEntry of my key pair. Now I want see some details of this certificate with the "keytool -printcert" command as shown below:

>keytool -printcert -file herong.crt

Owner: CN=Herong Yang, OU=Herong Unit, O=Herong Company, 
L=Herong City, ST=Herong State, C=CA
Issuer: CN=Herong Yang, OU=Herong Unit, O=Herong Company, 
L=Herong City, ST=Herong State, C=CA
Serial number: 46aa6511
Valid from: Sun Apr 1 17:35:13 EDT 2007 
until: Sat Jun 30 17:35:13 EDT 2007
Certificate fingerprints:
         MD5:  0C:54:AE:99:4E:3D:F7:A9:79:1A:93:83:0F:EF...
         SHA1: CA:23:1C:D4:F9:74:84:4C:16:F7:E7:AB:B1:08...
         Signature algorithm name: SHA1withDSA
         Version: 3

OK. Now I know that:

  • This certificate, herong.crt, is a self-signed certificate of my public key.
  • The certificate is valid for 90 days only.
  • Command "keytool -exportcert" will not export the key pair itself.
  • What I said earlier about "keytool can not be used to generate self-signed certificate" was wrong.

After this test, I read the Java manual again. It explains what exactly "keytool -genkeypair" does clearly: "Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias."

So the "PrivateKeyEntry" in the keystore file has two components: my key pair and my self-signed public key certificate.

The "keytool -exportcert" command only exports the self-signed certificate. The key pair will not be exported.

The next question is that could this certificate generated by "keytool" be viewed by "OpenSSL"? See the next section for answers.

"OpenSSL" Viewing "keytool" Generated Certificates

From previous section, I got my self-signed certificate generated by "keytool". The certificate is stored in RFC 1421 format. Now I want to try to view this certificate with "OpenSSL x509" command as shown below:

>openssl x509 -in herong.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1185572113 (0x46aa6511)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=CA, ST=Herong State, L=Herong City, 
O=Herong Company, OU=Herong Unit, CN=Herong Yang
        Validity
            Not Before: Apr 1 21:35:13 2007 GMT
            Not After : Jun 30 21:35:13 2007 GMT
        Subject: C=CA, ST=Herong State, L=Herong City, 
O=Herong Company, OU=Herong Unit, CN=Herong Yang
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub:
                    00:b0:61:2b:c1:88:0e:19:66:58:37:b5:...
                    ...
                P:
                    00:fd:7f:53:81:1d:75:12:29:52:df:4a:...
                    ...
                Q:
                    00:97:60:50:8f:15:23:0b:cc:b2:92:b9:...
                    ...
                G:
                    00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:...
                    ...
   Signature Algorithm: dsaWithSHA1
       30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0...
       ...

What I learned from this test:

  • Certificates generated by "keytool" are compatible with "OpenSSL".
  • "openssl x509" is provides much more certificate details than "keytool -printcert" command.
  • "keytool -genkeypair" uses DSA algorithm as the default to generated the private key and public key pair.

(Continued on next part...)

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Migrating Keys from 'keytool' to 'OpenSSL'