Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

keytool - JDK Tool to Manage Certificates Using 'keystore'

Part:   1  2  3 

tool introduced in JDK 1.2 to manage keys and certificates using "keystore". "keytool"

(Continued from previous part...)

"keytool" Example - Exporting and Import Certificates

In the second example, I want to export the certificate stored in the key entry to a certificate file, then import it back into the keystore as certificate entry: 

keytool -export -alias my_home -file my_home.crt -keystore herong.jks
   -storepass HerongJKS
Certificate stored in file <my_home.crt>

keytool -printcert -file my_home.crt
Owner: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My Sta...
Issuer: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My St...
Serial number: 407928a4
Valid from: Sat Jun 1 07:14:44 EDT 2002 until: Sat Aug 31 07:14:44...
Certificate fingerprints:
   MD5:  BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B:D1:99:79:55
   SHA1: AE:67:0C:C5:21:5C:F6:6F:45:33:9E:FB:8E:50:EA:32:32:D1:92:BB

keytool -import -alias my_home_crt -file my_home.crt
   -keystore herong.jks -storepass HerongJKS
Certificate already exists in keystore under alias <my_home>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

keytool -list -keystore herong.jks -storepass HerongJKS

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries:

my_home_crt, Sat Jun 1 12:25:46 EDT 2004, trustedCertEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...
my_home, Sat Jun 1 07:15:16 EDT 2002, keyEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...

Looking good so far:

  • The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
  • The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
  • The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.

Certificates can also be exported in a printable format: based on RFC 1421 specification, using the BASE64 encoding algorithm. 

keytool -export -alias my_home_crt -file my_home.rfc -rfc 
   -keystore herong.jks -storepass HerongJKS
Certificate stored in file <my_home.rfc>

type my_home.rfc
-----BEGIN CERTIFICATE-----
MIIDDTCCAssCBEB5KKQwCwYHKoZIzjgEAwUAMGwxCzAJBgNVBAYTAlVTMREwDwYDVQ...
dGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTEQMA4GA1UEChMHTXkgSG9tZTEQMA4GA1UECx...
dDEUMBIGA1UEAxMLSGVyb25nIFlhbmcwHhcNMDQwNDExMTExNDQ0WhcNMDQwNzEwMT...
MQswCQYDVQQGEwJVUzERMA8GA1UECBMITXkgU3RhdGUxEDAOBgNVBAcTB015IENpdH...
BAoTB015IEhvbWUxEDAOBgNVBAsTB015IFVuaXQxFDASBgNVBAMTC0hlcm9uZyBZYW...
ASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2US...
WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1...
+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCou...
gYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgL...
FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkI...
BpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJdQsMlIf1nh4T/HZvVeltsrTGED118CkG...
ygy53OLwrSK+6ptJpXP8tPMn9YFVJ3eigJrMTaZvGyd40WRiYM6Woyj3T4H73LEKLD...
QeNYOAm8cp3l9ZQkNnmIA1P6CRR43EeAmdTUlK8y6RWTsrOiJMdDMAsGByqGSM44BA...
AhQ4zAUOPWe1wdiwye9XDsVPcKS1xwIUWTdok6RIeeCMRIytKwcTOo7/qpM=
-----END CERTIFICATE-----

"keytool" Example - Cloning Certificates with New Identities

In the third example, I want to create a new key entry with the same key pair of an existing key entry, but change the identity information: 

keytool -keyclone -alias my_home -dest my_copy -keypass My1stKey 
   -new My2ndKey -keystore herong.jks -storepass HerongJKS

keytool -selfcert -alias my_copy -keypass My2ndKey 
   -dname "cn=Herong Yang, ou=My Unit 2, o=My Organization 2, c=US" 
   -keystore herong.jks -storepass HerongJKS

keytool -export -alias my_copy -file my_copy.crt -keystore herong.jks
   -storepass HerongJKS
Certificate stored in file <my_copy.crt>

keytool -printcert -file my_copy.crt
Owner: CN=Herong Yang, OU=My Unit 2, O=My Organization 2, C=US
Issuer: CN=Herong Yang, OU=My Unit 2, O=My Organization 2, C=US
Serial number: 40798b4f
Valid from: Sat Jun 1 14:15:43 EDT 2002 until: Sat Aug 31 14:15:43...
Certificate fingerprints:
         MD5:  4A:E4:D9:BC:E9:8C:50:27:6C:00:59:76:D1:14:05:79
         SHA1: FA:F5:30:78:22:3B:52:28:0D:41:24:0B:CA:CC:6F:D4:0E:...

Conclusion:

  • A key entry in keystore contains a private key and a certificate of the public key.
  • Certificates can be exported into certificate files out of keystore.
  • Certificates can be imported from certificate back into keystore.
  • There seems be to no way to export private keys.
  • There seems be to no way to generate a certificate of a given public key.

Part:   1  2  3 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - keytool - JDK Tool to Manage Certificates Using 'keystore'