It supports both detached and embedded signature files. You just need to select the keystore file and the XML file that needs to be signed. This tool is able to import a regular trusted certificate or a root CA certificate in order to use it for the current keystore.
The supported files list includes some of the Public Key Cryptography standards and can store the keystore files to multiple formats such as Bouncycastle Keystore or Java Cryptography Extension Keystore.
The command reads the request from file. If there is no file, then the request is read from the standard input. The CA authenticates the certificate requestor usually off-line and will return a certificate or certificate chain, used to replace the existing certificate chain which initially consists of a self-signed certificate in the keystore. The private key associated with alias is used to create the PKCS 10 certificate request.
To access the private key, the correct password must be provided. If keypass is not provided at the command line and is different from the password used to protect the integrity of the keystore, then the user is prompted for it. If dname is provided, then it is used as the subject in the CSR. Otherwise, the X. The sigalg value specifies the algorithm that should be used to sign the CSR. If no file is specified, then the CSR is output to stdout. When no file is specified, the certificate is output to stdout.
The certificate is by default output in binary encoding. If the -rfc option is specified, then the output in the printable encoding format defined by the Internet RFC Certificate Encoding Standard. If alias refers to a trusted certificate, then that certificate is output. Otherwise, alias refers to a key entry with an associated certificate chain. In that case, the first certificate in the chain is returned. This certificate authenticates the public key of the entity addressed by alias.
This command was named -export in earlier releases. The new name, -exportcert , is preferred going forward. Prints to stdout the contents of the keystore entry identified by alias. If no alias is specified, then the contents of the entire keystore are printed. This command by default prints the SHA fingerprint of a certificate. If the -v option is specified, then the certificate is printed in human-readable format, with additional information such as the owner, issuer, serial number, and any extensions.
If the -rfc option is specified, then the certificate contents are printed using the printable encoding format, as defined by the Internet RFC Certificate Encoding Standard. Note that -sslserver and -file options cannot be provided at the same time. Otherwise, an error is reported. If neither option is specified, then the certificate is read from stdin. If the certificate is read from a file or stdin , then it might be either binary encoded or in printable encoding format, as defined by the RFC Certificate Encoding standard.
The CA generates the crl file. Changes the password used to protect the integrity of the keystore contents. If the -keypass option is not provided at the command line, and the key password is different from the keystore password, then the user is prompted for it.
If the -new option is not provided at the command line, then the user is prompted for it. Deletes from the keystore the entry identified by alias.
The user is prompted for the alias, when no alias is provided at the command line. Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, then the command prompts for one.
If the original entry is protected with an entry password, then the password can be supplied with the -keypass option. If no key password is provided, then the storepass if provided is attempted first. If the attempt fails, then the user is prompted for a password. First, create a keystore and generate the key pair. You can use a command such as the following typed as a single line:. It uses the default DSA key generation algorithm to create the keys; both are bits.
The command uses the default SHAwithRSA signature algorithm to create a self-signed certificate that includes the public key and the distinguished name information. The certificate is valid for days, and is associated with the private key in a keystore entry referred to by the alias business.
The command is significantly shorter when the option defaults are accepted. In this case, no options are required, and the defaults are used for unspecified options that have default values.
You are prompted for any required values. You could have the following:. In this case, a keystore entry with the alias mykey is created, with a newly generated key pair and a certificate that is valid for 90 days. This entry is placed in the keystore named. The keystore is created when it does not already exist.
You are prompted for the distinguished name information, the keystore password, and the private key password. The rest of the examples assume you executed the -genkeypair command without options specified, and that you responded to the prompts with values equal to those specified in the first -genkeypair command.
Generating the key pair created a self-signed certificate. A certificate is more likely to be trusted by others when it is signed by a Certification Authority CA. This creates a CSR for the entity identified by the default alias mykey and puts the request in the file named MarkJ.
Submit this file to a CA, such as VeriSign. The CA authenticates you, the requestor usually off-line , and returns a certificate, signed by them, authenticating your public key.
In some cases, the CA returns a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.
You now need to replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.
Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file. See -importcert in Commands. If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA. If the certificate reply is a single certificate, then you need a certificate for the issuing CA the one that signed it.
If that certificate is not self-signed, then you need a certificate for its signer, and so on, up to a self-signed root CA certificate. The cacerts keystore file ships with several VeriSign root CA certificates, so you probably will not need to import a VeriSign certificate as a trusted certificate in your keystore.
But if you request a signed certificate from a different CA, and a certificate authenticating that CA's public key was not added to cacerts , then you must import a certificate from the CA as a trusted certificate. A certificate from a CA is usually either self-signed or signed by another CA, in which case you need a certificate that authenticates that CA's public key.
Suppose company ABC, Inc. Be careful to ensure the certificate is valid before you import it as a trusted certificate. View it first with the keytool -printcert command or the keytool -importcert command without the -noprompt option, and make sure that the displayed certificate fingerprints match the expected ones.
You can call the person who sent the certificate, and compare the fingerprints that you see with the ones that they show or that a secure public key repository shows. Only when the fingerprints are equal is it guaranteed that the certificate was not replaced in transit with somebody else's for example, an attacker's certificate.
If such an attack takes place, and you did not check the certificate before you imported it, then you would be trusting anything the attacker has signed. If you trust that the certificate is valid, then you can add it to your keystore with the following command:.
After you import a certificate that authenticates the public key of the CA you submitted your certificate signing request to or there is already such a certificate in the cacerts file , you can import the certificate reply and replace your self-signed certificate with a certificate chain. This chain is the one returned by the CA in response to your request when the CA reply is a chain , or one constructed when the CA reply is a single certificate using the certificate reply and trusted certificates that are already available in the keystore where you import the reply or in the cacerts keystore file.
For example, if you sent your certificate signing request to VeriSign, then you can import the reply with the following, which assumes the returned certificate is named VSMarkJ. If you used the jarsigner command to sign a Java Archive JAR file, then clients that want to use the file will want to authenticate your signature. One way the clients can authenticate you is by first importing your public key certificate into their keystore as a trusted entry.
You can export the certificate and supply it to your clients. As an example, you can copy your certificate to a file named MJ. With the certificate and the signed JAR file, a client can use the jarsigner command to authenticate your signature.
The command importkeystore is used to import an entire keystore into another keystore, which means all entries from the source keystore, including keys and certificates, are all imported to the destination keystore within a single command. You can use this command to import entries from a different type of keystore. During the import, all new entries in the destination keystore will have the same alias names and protection passwords for secret keys and private keys.
If the keytool command cannot recover the private keys or secret keys from the source keystore, then it prompts you for a password. If it detects alias duplication, then it asks you for a new alias, and you can specify a new alias or simply allow the keytool command to overwrite the existing one. For example, to import entries from a typical JKS type keystore key. The importkeystore command can also be used to import a single entry from a source keystore to a destination keystore.
In this case, besides the options you see in the previous example, you need to specify the alias you want to import. The following command demonstrates this:. Ensure that you store all the certificates in the same keystore. In these examples, RSA is the recommended the key algorithm.
Keystores can have different types of entries. The two most applicable entry types for the keytool command include the following:. Key entries : Each entry holds very sensitive cryptographic key information, which is stored in a protected format to prevent unauthorized access. Typically, a key stored in this type of entry is a secret key, or a private key accompanied by the certificate chain for the corresponding public key.
See Certificate Chains. The keytool command can handle both types of entries, while the jarsigner tool only handles the latter type of entry, that is private keys and their associated certificate chains. Trusted certificate entries : Each entry contains a single public key certificate that belongs to another party. The entry is called a trusted certificate because the keystore owner trusts that the public key in the certificate belongs to the identity identified by the subject owner of the certificate.
The issuer of the certificate vouches for this, by signing the certificate. All keystore entries key and trusted certificate entries are accessed by way of unique aliases.
An alias is specified when you add an entity to the keystore with the -genseckey command to generate a secret key, the -genkeypair command to generate a key pair public and private key , or the -importcert command to add a certificate or certificate chain to the list of trusted certificates. Subsequent keytool commands must use this same alias to refer to the entity. This example specifies an initial password of dukekeypasswd required by subsequent commands to access the private key associated with the alias duke.
If you later want to change Duke's private key password, use a command such as the following:. This changes the password from dukekeypasswd to newpass. A password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system.
If you do not specify a required password option on a command line, then you are prompted for it. The KeyStore class provided in the java. It is possible for there to be multiple different concrete implementations, where each implementation is that for a particular type of keystore. Currently, two command-line tools keytool and jarsigner and a GUI-based tool named Policy Tool make use of keystore implementations.
Because the KeyStore class is public , users can write additional security applications that use it. There is a built-in default implementation, provided by Oracle. It implements the keystore as a file with a proprietary keystore type format named JKS.
It protects each private key with its individual password, and also protects the integrity of the entire keystore with a possibly different password. Keystore implementations are provider-based. That is, there is a corresponding abstract KeystoreSpi class, also in the java. The term provider refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.
Applications can choose different types of keystore implementations from different providers, using the getInstance factory method supplied in the KeyStore class. Keystore implementations of different types are not compatible. The keytool command works on any file-based keystore implementation. Click the "Next I heard that Java Keytool is nice tool to generate keys and manage certificates. Java Keytool is a key and certificate management tool included in the Java package provided by Oracle.
It can be used to manage a keystore database of cryptographic keys, X. Certificate import and export operations support four file formats on Windows systems. Choose the format that meets your specific requirements.
Personal Information All rights in the contents of this web site are reserved by the individual author. America Online Root Certificate Summary: Subject: Entrust.
What are options supported by the "rsautl" command? Company Size Company Size: 1 - 25 26 - 99 - - 1, - 4, 5, - 9, 10, - 19, 20, or More. Get notifications on updates for this project. Get the SourceForge newsletter. JavaScript is required for this form. No, thanks. Windows Mac Linux. Features Show which certificate in a keystore where you have the private key.
Create and export certificate, with or without the private key. Create and open keystores. Project Samples.
Project Activity.
0コメント