PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"keytool -genkeypair" - Certificate and Key Bundle
This section provides a tutorial example on how to create a PKCS12 bundle to store a self-signed certificate and its private/public key pair using the 'keytool -genkeypair' command.
"keytool" command from JDK (Java Development Kit) can also be used to create a PKCS12 bundle file as shown in this tutorial:
1. Create a self-signed certificate from an internally generated private/public key pair and store them in a new PKCS12 bundle file.
herong$ keytool -genkeypair -keyalg ec \ -keystore bundle-jdk.p12 -storetype pkcs12 -storepass TopSecret What is your first and last name? [Unknown]: ZZ Root CA What is the name of your organizational unit? [Unknown]: . What is the name of your organization? [Unknown]: . What is the name of your City or Locality? [Unknown]: . What is the name of your State or Province? [Unknown]: . What is the two-letter country code for this unit? [Unknown]: ZZ Is <CN=ZZ Root CA, OU=., O=., L=., ST=., C=ZZ> correct? [no]: yes
2. List items in the PKCS12 bundle using "keytool". It contains a private key entry (and its self-signed certificate).
herong$ keytool -list -keystore bundle-jdk.p12 -storepass TopSecret Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry mykey, Nov 23, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): E4:2A:FD:0B:7E:6C:21:C3:9C:...
3. Print out information from the PKCS12 bundle using "openssl" It contains a certificate bag and a key bag.
herong$ openssl pkcs12 -info -in bundle-jdk.p12 \ -passin pass:TopSecret -noout MAC: sha256, Iteration 10000 MAC length: 32, salt length: 20 PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, ... PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration ... Certificate bag
4. Convert the PKCS12 bundle into a PEM bundle.
herong$ openssl pkcs12 -in bundle-jdk.p12 -passin pass:TopSecret \ -out bundle-jdk.pem -passout pass:TopSecret
5. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links the certificate to the key pair.
herong$ more bundle-jdk.pem Bag Attributes friendlyName: mykey localKeyID: 54696D652031373332343138353936353330 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIGzMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBCGC6JKO1O029LD7oR4 tLG6AgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQpgLsGqDhfe6VWEFq ... Q50K0zfdHOIN55rD4o90p1mcwR1LQFTAAl2DFLy/L7JZURbNWNw= -----END ENCRYPTED PRIVATE KEY----- Bag Attributes friendlyName: mykey localKeyID: 54696D652031373332343138353936353330 subject=C=ZZ, ST=., L=., O=., OU=., CN=ZZ Root CA issuer=C=ZZ, ST=., L=., O=., OU=., CN=ZZ Root CA -----BEGIN CERTIFICATE----- MIIBuzCCAWGgAwIBAgIIYgivSmD30Z8wCgYIKoZIzj0EAwIwUjELMAkGA1UEBhMC WloxCjAIBgNVBAgTAS4xCjAIBgNVBAcTAS4xCjAIBgNVBAoTAS4xCjAIBgNVBAsT ... 4V9G5qguCYK9NcR8ak7j -----END CERTIFICATE-----
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
►PKCS12 Certificate Bundle File
"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
"openssl pkcs12 -export" - Limitations and Errors
►"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS13 File