KeyTool is a security key and certificate management tool. It manages keystore that stores private keys and verify the X.509 certificate chain associated with the corresponding public key (a pretty database). KeyTool is a valid security key and certificate It can use digital signatures to manage their own private / public key pairs, manage data integrity and authentication services for self-identification. It also carses users to cache when communications. Their common keys. A certificate is a digital signature of a entity (individual, company, etc.), pointing out the detailed value of the public key (or other information) of other entities. After the data is signed, this signature information is used to test The integrity and authenticity of the data. Integrity Index is not modified and tampered, the authenticity referred to the true transmission from one of the generation and signatures to reach. Keytool stores the key and certificate to a keystore. Mailing to implement keystore It is a file. It uses a password protected key. Another tool Jarsigner generates or checks the digital signature in the Java Archive (JAR file) in the keystore. KeyStore has two different portions: 1. Key entry: save A very sensitive encrypted key information, and is stored in a protected format to prevent unauthorized access. The key stored in this form is a secret key, or a private key for the public key in the corresponding certificate chain. 2 Trust certificate: a single public key certificate belonging to other parts. It is called a "trust certificate" because the public key in the certificate trusted by KeyStore truly belongs to the identification of the certificate owner. KeyStore alias: All KeyStore entrances (key and trust certificate) are accessed by unique alias. The alias is not case sensitive. If the alias hugo and hugo point to the same keystore entry. You can use the -genkey parameter when adding an entry to KeyStore. To generate a key to (public key and private key) specify an alias. You can also use the -import parameter to add a certificate or certificate chain to the trust certificate. Such as: keytool -genkey -alias duke -keypass dukekeyPasswd where dukeKeyPasswd is Duke alias password. The role of this command is to generate a new public / private key. If you want to change your password, you can use: keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass to change the old password dukekeyPasswd to newp ASS.
The production of KeyStore: 1. Add data to a keystore when using the -genkey or -import or -ident or -iditydb, and when this KeyStore does not exist, a keystore is generated. KeyStore, stored in the user-home directory. 2. When using -kestore specified, the specified keystore. KeyStore is generated: The KeyTool class is located under the java.security package, providing a very good interface to get and modify the information in a keystore. Currently there are two command lines: KeyTool And Jarsinger, a GUI tool Policy can implement keystore. Because KeyStore is open, users can use some additional secure applications. KeyStore has an inner implementation provided by Sun Company. It uses keystore as a file. Util A KeyStore type (format) "JKS". It protects each private key with a separate password. It also uses possible different passwords to protect the entire keystore integrity. Supported algorithms and key sizes: KeyTool allows users to specify key pairs and registration The signature algorithm provided by the password service provider. The default key pair generating algorithm is "DSA". If the private key is "DSA" type, the default signature algorithm is "sha1withdsa", if the private key is "RSA" type, lack The provincial algorithm is "MD5withRSA". When a DSA key is generated, the key must be between 512-1024. The default key size for any algorithm is 1024 bits. Certificate: A certificate is a digital signature of an entity, pointing out other entities The public key has a clear value. 1. Public key: The same detailed entity is associated, and interested all the other entities who want to trust the relationship with this entity. The public key is used to verify the signature; 2. Digital signature : If the data has been signed and stored in an entity, a signature can prove that this entity knows this data. This data is signed and submitted by the physical private key; 3. Identity: Know the method of the entity. I am in some systems Public keys, other systems can be anything from a Unix UID of a mail address of an X.509 name; 4. Signature: A signature use of entity private keys to calculate some encrypted data; 5. Private key: Yes Digits, each private key can only be known by specific entities with the private key. Private and public keys have all key pairs of all systems with public key encryption. A public key encryption (such as DSA), a private key with one The correct public key communication. Private key is used to calculate the signature. 6. Entity: An entity can be one People, an organization, a program, a computer, a business, a bank, or something you want to trust.
KeyTool Application: 1. Generate a keystore: keytore -genkey -alias user (keystore alias) -keyalg rsa -validity 7 -keystore keystore (specify keystore). Run this command, system prompt: Enter KeyStore Password: YourPassword What is your first and last name? [Unknown]: Your name (Enter your name) What is the name of your Organizational Unit? [Unknown]: Your Organizational (enter the name of your organization) What is the name of Your Organization? [Unknown]: Your Organization Name (enter the name of your organization) What is the name of your city or locality? [unknown]: Your city name (Name of the city) What is the name of your state or PROVINCE? [Unknown]: Your Provice Name (Enter the name of the province) What is the two-letter country code for this unit? [Unknown]: CN (Enter country name) is cn = Your name, OU = Your Organizaion, o = "Your Organization Name", L = Your City Name, ST = Your Province Name, C = CN CORRECT? [NO]: YES2. Check a KeyStore: Keytore Enter KeyStore Password: Your Password (Enter Password ) The keystore content is displayed, such as: KeyStore Type: Jks KeyStore Provider: Sun
Your KeyStore Contains 1 Entry
Alias name: yourname Creation date: Dec 20, 2001 Entry type: keyEntry Certificate chain length: 1 Certificate [1]: Owner: CN = yourname, OU = your organization, O = "your organization name", L = your city name, ST = Your Province Name, C = CN ISSUER: CN = Duke, Ou = Java Software, O = "Sun Microsystems, Inc.", L = Palo Alto, ST = CA, C = US Serial Number: 3C22ADC1 Valid from: thu DEC 20 19:34:25 PST 2001 Until: Thu Dec 27 19:34:25 PST 2001 Certificate Fingerprints: MD5: F1: 5B: 9B: A1: F7: 16: CF: 25: CF: F4: FF: 35: 3F: 4C: 9C: F0 SHA1: B2: 00: 50: DD: B6: CC: 35: 66: 21: 45: 0F: 96: AA: AF: 6A: 3D: E4: 03: 7C: 74 3. output keystore to a file: testkey: keytool -export -alias duke -keystore keystore -rfc -file testkey system output: enter keystore password: your password (password) certificate stored in file 4. enter the new certificate to a truststore: keytool -import -alias dukecert -file testkey -keystore truststore enter keystore password: your new password (input password new truststore) 5 check truststore:.. keytool -list -v -keystore the truststore truststore information display system can now be appropriate. KeyStore runs your app. Such as: java -djavax.ne T.ssl.keystore = keystore -djavax.net.ssl.keystorepassword = Password Server and: java -djavax.net.ssl.truststore = truststore -djavax.net.ssl.trustStorePassword = trustword client Client
See: http://www.ccw.com.cn/htm/center/prog/02_7_8_4.asp
