keytool - JDK Tool to Manage Certificates Using 'keystore'
Part:
1
2
3
tool introduced in JDK 1.2 to manage keys and certificates
using "keystore". "keytool"
(Continued from previous part...)
"keytool" Example - Exporting and Import Certificates
In the second example, I want to export the certificate stored in the key entry
to a certificate file, then import it back into the keystore as certificate entry:
keytool -export -alias my_home -file my_home.crt -keystore herong.jks
-storepass HerongJKS
Certificate stored in file <my_home.crt>
keytool -printcert -file my_home.crt
Owner: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My Sta...
Issuer: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My St...
Serial number: 407928a4
Valid from: Sat Jun 1 07:14:44 EDT 2002 until: Sat Aug 31 07:14:44...
Certificate fingerprints:
MD5: BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B:D1:99:79:55
SHA1: AE:67:0C:C5:21:5C:F6:6F:45:33:9E:FB:8E:50:EA:32:32:D1:92:BB
keytool -import -alias my_home_crt -file my_home.crt
-keystore herong.jks -storepass HerongJKS
Certificate already exists in keystore under alias <my_home>
Do you still want to add it? [no]: yes
Certificate was added to keystore
keytool -list -keystore herong.jks -storepass HerongJKS
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries:
my_home_crt, Sat Jun 1 12:25:46 EDT 2004, trustedCertEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...
my_home, Sat Jun 1 07:15:16 EDT 2002, keyEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...
Looking good so far:
- The "-export" command option exports the self-signed certificate of my public key
into a file, my_home.crt.
- The "-printcert" command option prints out summary information of a certificate
stored in a file in X.509 format. As you can see from the print out, I am the issuer
and the owner of this certificate.
- The "-import" command option imports the certificate from the certificate file
back into the keystore under different alias, my_home_crt.
Certificates can also be exported in a printable format: based on RFC 1421
specification, using the BASE64 encoding algorithm.
keytool -export -alias my_home_crt -file my_home.rfc -rfc
-keystore herong.jks -storepass HerongJKS
Certificate stored in file <my_home.rfc>
type my_home.rfc
-----BEGIN CERTIFICATE-----
MIIDDTCCAssCBEB5KKQwCwYHKoZIzjgEAwUAMGwxCzAJBgNVBAYTAlVTMREwDwYDVQ...
dGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTEQMA4GA1UEChMHTXkgSG9tZTEQMA4GA1UECx...
dDEUMBIGA1UEAxMLSGVyb25nIFlhbmcwHhcNMDQwNDExMTExNDQ0WhcNMDQwNzEwMT...
MQswCQYDVQQGEwJVUzERMA8GA1UECBMITXkgU3RhdGUxEDAOBgNVBAcTB015IENpdH...
BAoTB015IEhvbWUxEDAOBgNVBAsTB015IFVuaXQxFDASBgNVBAMTC0hlcm9uZyBZYW...
ASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2US...
WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1...
+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCou...
gYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgL...
FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkI...
BpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJdQsMlIf1nh4T/HZvVeltsrTGED118CkG...
ygy53OLwrSK+6ptJpXP8tPMn9YFVJ3eigJrMTaZvGyd40WRiYM6Woyj3T4H73LEKLD...
QeNYOAm8cp3l9ZQkNnmIA1P6CRR43EeAmdTUlK8y6RWTsrOiJMdDMAsGByqGSM44BA...
AhQ4zAUOPWe1wdiwye9XDsVPcKS1xwIUWTdok6RIeeCMRIytKwcTOo7/qpM=
-----END CERTIFICATE-----
"keytool" Example - Cloning Certificates with New Identities
In the third example, I want to create a new key entry with the same key pair
of an existing key entry, but change the identity information:
keytool -keyclone -alias my_home -dest my_copy -keypass My1stKey
-new My2ndKey -keystore herong.jks -storepass HerongJKS
keytool -selfcert -alias my_copy -keypass My2ndKey
-dname "cn=Herong Yang, ou=My Unit 2, o=My Organization 2, c=US"
-keystore herong.jks -storepass HerongJKS
keytool -export -alias my_copy -file my_copy.crt -keystore herong.jks
-storepass HerongJKS
Certificate stored in file <my_copy.crt>
keytool -printcert -file my_copy.crt
Owner: CN=Herong Yang, OU=My Unit 2, O=My Organization 2, C=US
Issuer: CN=Herong Yang, OU=My Unit 2, O=My Organization 2, C=US
Serial number: 40798b4f
Valid from: Sat Jun 1 14:15:43 EDT 2002 until: Sat Aug 31 14:15:43...
Certificate fingerprints:
MD5: 4A:E4:D9:BC:E9:8C:50:27:6C:00:59:76:D1:14:05:79
SHA1: FA:F5:30:78:22:3B:52:28:0D:41:24:0B:CA:CC:6F:D4:0E:...
Conclusion:
- A key entry in keystore contains a private key and a certificate of the public key.
- Certificates can be exported into certificate files out of keystore.
- Certificates can be imported from certificate back into keystore.
- There seems be to no way to export private keys.
- There seems be to no way to generate a certificate of a given public key.
Part:
1
2
3
|