JDK Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.32, 2006

JCA - Certificates, 'keytool' and 'keystore'

Part:   1   2  3 

JDK Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

Internationalization

Character Set and Encoding

Socket Communication

Document Object Model (DOM)

XSD Validation in Java

XSL - Transformer in Java

JCA - Private and Public Key Pairs

JCE - Secret Key

SSL (Secure Socket Layer)

SSL - Client Authentication

... Table of Contents

This chapter describes some parts of the JCA (Java Cryptography Architecture) which has been included in JDK since 1.1:

  • What is a certificate and a certificate chain?
  • What is "keystore"?
  • What are the functions offered by "keytool"?
  • Examples of using "keytool".

Certificates and Certificate Chains

Certificate: A digitally signed statement from the issuer saying that the public key of the subject has some specific value.

The above definition is copied from the JDK 1.3.1 documentation. It has a couple of important terms:

  • "signed statement" - The certificate must be signed by the issuer with a digital signature.
  • "issuer" - The person or organization who is issuing this certificate.
  • "public key" - The public key of a key pair selected by the subject.
  • "subject" - The person or organization who owns the public key.

X.509 Certificate - A certificate written in X.509 standard format. X.509 standard was introduction in 1988. It requires a certificate to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information.

How can you get a certificate for your own public key?

  • Requesting it from a Certificate Authority (CA), like VeriSign, Thawte or Entrust.
  • Doing it yourself - using tools like JDK "keytool" to generate a self-signed certificate.

Certificate Chain: A series of certificates that one certificate signs the public key of the issuer of the next certificate. Usually the top certificate (the first certificate) is self-signed, where issuer signed its own public key.

What is "keystore"?

"keystore" - A database used by JDK "keytool" command and KeyStore class to store your own private keys, and public key certificates you received from someone else. "keystore" supports the following features:

  • Two types of entries: key entries for private keys and certificate entries for public key certificates.
  • A key entry contains the private key and a certificate chain of the corresponding public key.
  • Every entry has a unique alias name.
  • Key entries are protected by separate passwords.
  • "keystore" may have different implementations from different security package providers. The default implementation from Sun is called JKS.

(Continued on next part...)

Part:   1   2  3 

Dr. Herong Yang, updated in 2006
JDK Tutorials - Herong's Tutorial Notes - JCA - Certificates, 'keytool' and 'keystore'