PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool -keyclone" - Clone Self-Signed Certificate with New Identity

This section provides a tutorial example on how to use the 'keytool -keyclone' command to clone a certificate with new identity. The cloned certificates will have the same keys with the original certificate.

In the third tutorial, I want to create a new key entry with the same key pair of an existing key entry, but change the identity information.

1. Clone a key entry in the KeyStore file.

# For default KeyStore file format: PKCS12 
herong$ keytool -keyclone -alias my_home -dest my_copy \
  -keystore herong.jks -storepass HerongJKS

# For older KeyStore file format: JKS
# You can specify password at the key entry level
herong$ keytool -keyclone -alias my_home -dest my_copy \
  -keystore herong.jks -storepass HerongJKS \
  -keypass My1stKey -new My2ndKey 

2. Update the self-signed certificate of a key entry.

herong$ keytool -selfcert -alias my_copy \
  -dname "cn=Herong Yang, ou=My Unit 2, o=My Organization, c=US" \
  -keystore herong.jks -storepass HerongJKS

# For older KeyStore file format: JKS 
herong$ keytool -selfcert -alias my_copy -keypass My2ndKey \
  -dname "cn=Herong Yang, ou=My Unit 2, o=My Organization, c=US" \
  -keystore herong.jks -storepass HerongJKS

3. Export the self-signed certificate.

herong$ keytool -exportcert -alias my_copy -file my_copy.crt \
   -keystore herong.jks -storepass HerongJKS

Certificate stored in file <my_copy.crt>

4. Print out certificate information.

herong$ keytool -printcert -file my_copy.crt

Owner: CN=Herong Yang, OU=My Unit 2, O=My Organization, C=US
Issuer: CN=Herong Yang, OU=My Unit 2, O=My Organization, C=US
Serial number: 388eb7ed596f0cba
Valid from: Tue Nov 26 09:01:49 EST 2024 until: Mon Feb 24 ...
Certificate fingerprints:
   SHA1: 7E:09:CB:55:74:76:F3:F5:63:80:EC:C8:7C:84:E4:94:C6:82:...
   SHA256: 1B:46:76:08:1B:F3:CA:68:FA:EA:D6:9B:62:B6:43:2C:31:...
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
...

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

►Java "keytool" Commands and KeyStore Files

 What Is Java KeyStore File?

 "keytool" - Key and Certificate Management Tool

 "keytool -genkeypair" - Generate Key with Self-Signed Certificate

 "keytool -export/import" - Export and Import Certificates

►"keytool -keyclone" - Clone Self-Signed Certificate with New Identity

 "keytool -certreq" - Generate CSR (Certificate Signing Request)

 "keytool -gencert" - Sign CSR with CA certificate

 "keytool -gencert -ext" - Sign CSR with X.509 Extensions

 Export Key Pair using "keytool -importkeystore"

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"keytool -keyclone" - Clone Self-Signed Certificate with New Identity - Updated in 2024, by Herong Yang