Keytool is an effective management tool for security keys and certificates. It enables users to use digital signatures to manage their own private/public key pairs, manage related certificates for self-authentication, manage data integrity and authentication services, and enable users to cache their public keys when communicating.
A certificate is a digital signature of an entity (individual company, etc.). ), which represents the detailed value of the public key (or other information) of other entities. When signing data, the signature information is used to check the integrity and authenticity of the data. Integrity means that data has not been modified or tampered with. Authenticity means that the data actually comes from whoever generated and signed it.
Keytool stores keys and certificates in the keystore. The keystore is implemented by a file, which protects the key with a password.
Another tool, jarsigner, uses information in the keystore to generate or verify digital signatures in Java archives (jar files).
The keystore has two different entrances:
Key entry: It stores very sensitive encryption key information in a protected format to prevent unauthorized access. The key stored in this form is a secret key or a private key corresponding to the public key in the certificate chain.
Trust Certificate Portal: It contains a single public key certificate belonging to other parts. It is called a trusted certificate because the public key in the certificate trusted by the keystore actually belongs to the identity of the certificate owner.
Alias for keystore:
All keystore entries (keys and trust certificate entries) are accessed by unique case-insensitive aliases. For example, the aliases hugo and Hugo point to the same keystore entry.
When adding an entry to the keystore, you can use the genkey parameter to generate a key pair (public key and private key), and you can also use the import parameter to add a certificate or certificate chain to a trust certificate.
For example:
Keytool genkey alias duke keypass dukekeypasswd
The function of this command is to generate a new public key * * */private key pair.
If you want to change your password, you can use:
Keytool keypasswd alias duke keypasswd duke keypasswd new new pass
Change the old password dukekeypasswd to newpass.
Generation of keystore:
When using genkey or import or identitydb commands to add data to the keystore, if the keystore does not exist, a keystore will be generated, and the default name is that the keystore is stored in the user's home directory.
When using keystore to specify, the specified keystore will be generated.
Implementation of keystore:
Keytool class is located under java security package, which provides a good interface to obtain and modify information in keystore. At present, there are two command lines: Keytool and jarsinger, and a GUI tool, Policy, which can realize the keystore. Because the keystore is public, users can use it to write some additional security applications.
The keystore also has an internal implementation provided by sun Company, which regards the keystore as a file and uses a keystore type (format) JKS, which protects each private key with a single password and protects the integrity of the entire keystore with possibly different passwords.
Supported algorithms and key sizes:
Keytool allows users to specify key pairs and register signature algorithms provided by encryption service providers. The default key pair generation algorithm is DSA. If the private key is DSA, the default signature algorithm is SHA withDSA. If the private key is RSA, the default algorithm is MD withRSA.
When generating DSA key pair, the key must be between bits. The default key size of any algorithm is 10 bits.
Certificate:
A certificate is a digital signature of one entity, indicating that the public keys of other entities have certain values.
Public key: it is a digital association with a detailed entity, which aims to let all other entities wishing to establish a trust relationship with the entity know that the public key is used to check the signature;
Digital signature: if the data has been signed and stored in an entity, a signature can prove that the entity knows the data, and the data is signed and submitted with the private key of the entity;
Identity: The way to know the entity is that in some systems, identity is a public key; In other systems, it can be the Unix UID of the email address named X.
Signature: Signature uses entity private key to calculate some encrypted data;
Private key: number. Each private key can only be known by the specific entity that owns it. The private key and the public key exist in all key pairs of the system encrypted with the public key. The public key is encrypted (such as DSA). The private key communicates with the correct public key to calculate the signature.
Entity: An entity can be a person, an organization, a program, a computer, a business, a bank or something you want to trust.
Keytool application example:
Generate keystore:
Keytool gen key alias user (alias of keystore) key lG RSA validity keystore keystore (specified keystore)
Run the following command system prompt:
Enter the keystore password: your password.
What's your first and last name?
[Unknown]: Your name (enter your name)
What's the name of your organization?
[Unknown]: Your animal (enter the name of your organization)
What is the name of your organization?
[Unknown]: Your organization name (enter your organization name)
What is the name of your city or region?
[Unknown]: Your city name (enter your city name)
What is the name of your state or province?
[Unknown]: Your province name (enter your province name)
What is the country code of this unit?
[Unknown ]:cn (enter country name)
Your name is
L = your city name ST = your province name C=cn, right?
[No]: Yes
Check keystore:
Keytool list v keystore keystore
Enter the keystore password: your password.
The contents of the keystore will be displayed, for example:
Keystore type: jks
Keystore provider: SUN
Your keystore contains entries.
Alias: Your name.
Date of creation:1Feb.
Entry type: keyEntry
Certificate chain length:
Certificate []:
owner:CN = your name OU = your organization O = your organization name
L = your city name ST = your province name C=CN
Publisher: CN = Dukeou = Java Sofareo = Sun Microsystems Inc L = Palo Altost = Cac = USA.
Serial number: c adc
Valid from: Thursday1February:: Pacific standard time to: Thursday1February:: Pacific standard time.
Certificate fingerprint:
MD:F:B:B:A:F::CF::CF:F:FF::F:C:C:F
Secretary for Home Affairs: Secretary for Home Affairs: Secretary for Home Affairs: Secretary for Home Affairs: Secretary for Home Affairs: Secretary for Home Affairs: Secretary for Home Affairs:
Output keystore to file: testkey:
Keytool exports alias Duke keystore rfc file testkey.
System output:
Enter the keystore password: your password.
Certificates stored in files
Enter the certificate into the new truststore:
Keytool import alias dukecert file testkey keystore truststore
Enter the keystore password: your new password.
Check the truststore:
Keytool list v keystore truststore
The information of the trust store will be displayed.
Now, you can run your application using the appropriate keystore, such as:
Java ssl keystore = keystore ssl keystore password = password server
And: java ssl truststore = truststore.
Lishi Xinzhi/Article/program/Java/hx/20 13 1 1/25684