You can use the following methods:
Method 1: keytool -genkey -alias test -keyalg RSA -keystore c:/key.store
Generate keyStore p>
RSA is an algorithm that can be used for both data encryption and digital signatures.
DSA (Digital Signature Algorithm, digital signature algorithm, used as part of the digital signature standard), it is another public key algorithm, it cannot be used for encryption, only for digital signatures. DSA uses a public key to verify the integrity of the data and the identity of the data sender for the recipient.
Extract the certificate:
We can easily extract the certificate through the keytool command.
The certificate includes subject information and public key.
keytool -export -alias alias-keystore file name-file certificate name
But we cannot extract the private key through the KEYTOOL tool. We can only use java's KeyStore class getEntry() or getKey() Extract the private key.
Read the keyStore file:
char[] password = "password".toCharArray();
java.io.FileInputStream fis = new java.io.FileInputStream("c:/server/server_keystore");
// Load this KeyStore from the specified input stream
ks.load(fis, password) ;
//Each item in the keystore is identified by an "alias" string.
//Use the specified protection parameters to obtain the keystore entry of the specified alias.
//KeyStore.PrivateKeyEntry saves the PrivateKey and the KeyStore entry of the corresponding certificate chain.
Method 1. KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks.getEntry("keystore alias", new KeyStore.PasswordProtection(password)); // Return the key associated with the given alias
Method 2. PrivateKey key = (PrivateKey) ks.getKey("ser", password);
How to verify whether the extracted private key is correct? (Because the public key is private The keys must appear in pairs. We can extract the public key through the certificate, then encrypt it with the public key, and decrypt it using the private key we just obtained)
How to extract the certificate:
keytool - export -alias alias-keystore file name-file certificate name
//Get the public key through the certificate
CertificateFactory cf = CertificateFactory.getInstance("X.509");
p>FileInputStream in = new FileInputStream("C:\\server\\server.cer");
//Generate a certificate object and use the data pair read from the input stream inStream It is initialized.
Certificate c = cf.generateCertificate(in);
PublicKey publicKey = c.getPublicKey();
//The private key extracted through the following code Is the key correct?
String before = "asdf";
byte[] plainText = before.getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
// Encrypt with the public key and return one byte Stream
byte[] cipherText = cipher.doFinal(plainText);
cipher.init(Cipher.DECRYPT_MODE, myPrivateKey);
// Use private key Decrypt and return a byte stream
byte[] newPlainText = cipher.doFinal(cipherText);
System.out.println(new String(newPlainText, "UTF-8" ));
Method 2: The following is in English:
1.import java.io.File;
2.import java.io.FileInputStream;
3.import java.io.FileWriter;
4.import java.security.Key;
5.import java.security.KeyPair;
6.import java.security.KeyStore;
7.import java.security.KeyStoreException;
8.import java.security.NoSuchAlgorithmException;
9.import java.security.PrivateKey;
10.import java.security.PublicKey;
11.import java.security.UnrecoverableKeyException;
12.import java.security.cert.Certificate;
13.
14.import sun.misc.BASE64Encoder;
15.
16.public class ExportPrivateKey {
17. private File keystoreFile;
18. private String keyStoreType;
19.
private char[] password;
20. private String alias;
21. private File exportedFile;
22.
23. public static KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
24. try {
25. Key key=keystore.getKey(alias, password);
26. if(key instanceof PrivateKey) {
27. Certificate cert=keystore.getCertificate(alias);
28. PublicKey publicKey=cert.getPublicKey( );
29. return new KeyPair(publicKey, (PrivateKey)key);
30. }
31. } catch (UnrecoverableKeyException e) {
32. } catch (NoSuchAlgorithmException e) {
33. } catch (KeyStoreException e) {
34. }
35. return null;
36. }
37.
38. public void export() throws Exception{
39. KeyStore keystore =KeyStore.getInstance(keyStoreType);
40. BASE64Encoder encoder=new BASE64Encoder();
41. keystore.load(new FileInputStream(keystoreFile), password);
42. KeyPair keyPair=getPrivateKey(keystore, alias, password);
43. PrivateKey privateKey=keyPair.getPrivate();
44.
String encoded=encoder.encode(privateKey.getEncoded());
45. FileWriter fw=new FileWriter(exportedFile);
46. fw.write(“—–BEGIN PRIVATE KEY—–\n");
47. fw.write(encoded);
48. fw.write("\n");
49. fw.write(“—–END PRIVATE KEY—–”);
50. fw.close();
51. }
52 .
53.
54. public static void main(String args[]) throws Exception{
55. ExportPrivateKey export=new ExportPrivateKey();
56. export.keystoreFile=new File(args[0]);
57. export.keyStoreType=args[1];
58. export. password=args[2].toCharArray();
59. export.alias=args[3];
60. export.exportedFile=new File(args[4]) ;
61. export.export();
62. }
63.}
Or: Method three:
p>Use this command for the certificate:
keytool -export -alias lt; aliasgt; -flie lt; cert_file_namegt;
The extension of the certificate is cer, and then in windows Open to change the storage format of the certificate.
It seems that the private key cannot be exported, not very clear.
There is no need to export the key and certificate when configuring SSL. Tomcat can directly use keystore