Reputation: 558
Keystore and Certificate concepts
After I did some research about keystore and certificate, I found the following guides:
Correct me if I am wrong. From what I understand (and tested):
- Using "keytool -genkeypair -alias testingkeypair -keyalg RSA -keystore keystore.jks" in cmd will generate a keystore.jks file which contains a private and public key pair with alias "domain"
- The keystore.jks file is then used to sign/export certificates
- The keystore.jks file can also be used to store multiple certificates
The thing that I do not understand is that, before I import any certificate into the keystore.jks file, when I try to see what is inside (using keytool -list -v -keystore keystore.jks), there appears to be a certificate already inside. Is it a default certificate for that keystore? I thought "keytool -genkeypair" will only generate a keystore with a keypair?
The result of keytool -list -v -keystore keystore.jks :
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
Alias name: testingkeypair Creation date: Jan 11, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner:CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Issuer: CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Serial number: 650d8951 Valid from: Mon Jan 11 14:43:52 SGT 2016 until: Sun Apr 10 14:43:52 SGT 2016 Certificate fingerprints: MD5: F0:74:9F:27:F0:08:AB:A0:BE:B2:A0:F2:94:45:94:90 SHA1: 87:0C:E2:E2:06:A6:52:4E:0C:40:E9:B0:DE:75:A7:8C:CC:01:45:57 SHA256: D1:B2:63:F0:85:A7:06:2E:7D:2B:E1:1E:91:9E:62:56:22:E7:61:36:E6: 23:8A:6F:21:EF:2B:79:0D:12:B8:38 Signature algorithm name: SHA256withRSA Version: 3
Upvotes: 7
Views: 19164
Answers (2)
Reputation: 558
After some more research, I have found the answer that I wanted. It was in the official javadoc for keytool. http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html#genkeyCmd
It appears that whenever -genkey is used, a pair of public/private key pair is generated and the public key is wrapped around a certificate (self-signed). Hence the certificate I see when I use "keytool -list -v" command straightly after -genkey command is the certificate for the public key.
Upvotes: 5
Reputation: 17
Command given in your second link is the answer . keytool -certreq \ -alias domain \ -file domain.csr \ -keystore keystore.jks
You need to generate certificate request which will generate certificate signing request .csr file. .csr file will have your certificate details along with public key and .jks file will have your private key. You need to send .csr file to CA like Symntac to get it signed. CA will sign it and provide you .cer or .crt (Signed certificate). which you would need to import to your .jks(java key store). keytool -importcert \ -trustcacerts -file domain.crt \ -alias domain \ -keystore keystore.jks
.jks is like a database to store certs and keys.
Upvotes: 1
Related Questions
- What are the differences between a HashMap and a Hashtable in Java?
- How do I declare and initialize an array in Java?
- What is the difference between public, protected, package-private and private in Java?
- What is a serialVersionUID and why should I use it?
- How to create keystore and truststore using self-signed certificate?
- How to generate trusted self signed certificate with SHA2 signing algorithm using keytool?
- Thawte SSL free Certificate not detected - jetty server