Keytool Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
* https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6
=Internal=
=Internal=


* [[keytool#Subjects|keytool]]
* [[keytool#Subjects|keytool]]
=TODO=
https://home.feodorov.com:9443/wiki/Wiki.jsp?page=Keytool


=Generate a Public/Private Key Pair=
=Generate a Public/Private Key Pair=


A [[Public_Key_Security#Key_Pair|key pair]] can be generated with the following command:
A [[Public_Key_Security#Key_Pair|key pair]] can be generated and placed in the keystore with the following command. The private key thus generated can be used in the [[Public_Key_Security#Generate_the_Private_Key |procedure to generate digitally signed certificates]].
 
keytool \
    -genkeypair \
    -alias jce-provider-signing-key \
    -keyalg RSA \
    -keysize 2048 \
    -dname "cn=home.feodorov.com, ou=oceanlab, o=feodorov.com, l=Menlo Park, st=CA, c=US" \
    -keystore ./test-keystore.jks \
    -storepass something
 
For more general considerations on private keys, see: {{Internal|Public_Key_Security#Private_Key|Private Keys}}


=Generate a Certificate Signing Request=
=Generate a Certificate Signing Request=


A [[Public_Key_Security#Certificate_Signing_Request_.28CSR.29|certificate signing request]] can be generated with the following command:
A [[Public_Key_Security#Certificate_Signing_Request_.28CSR.29|certificate signing request]] can be generated with the following command. This step is part of the [[Public_Key_Security#Create_the_Certificate_Signing_Request|procedure to generate digitally signed certificates]].


  keytool -certreq -alias jce-provider-signing-key -file novaordis-jce-provider2.csr -keystore ./jce-provider-signing-keystore.jks -storepass n7ejfh2jef234rBe
  keytool \
    -certreq \
    -alias jce-provider-signing-key \
    -file novaordis-jce-provider2.csr \
    -keystore ./jce-provider-signing-keystore.jks \
    -storepass somepass


=Inspect the Certificate=
=<span id='Inspect_the_Certificate'></span>Inspect a Certificate=


The  [[Public_Key_Security#Certificate|certificate]] data can be displayed with:
The  [[Public_Key_Security#Certificate|certificate]] data can be displayed with:
Line 20: Line 44:


It accepts certificates in [[Public_Key_Security#PEM|PEM]] format.
It accepts certificates in [[Public_Key_Security#PEM|PEM]] format.
=Inspect a Keystore=
keytool -list -v -keystore ./test-keystore.jks
=Import into a Keystore=
==Import a Private Key into a Keystore==
==Import a Certificate into a Keystore==
=Delete from a Keystore=
==Delete a Private Key from a Keystore==
keytool -delete -alias ''name-of-entry-to-delete'' -keystore ./test-keystore.jks
==Delete a Certificate from a Keystore==
=Change the Alias of an Entry=
  keytool -changealias -alias ''old-name'' -destalias ''new-name'' -keystore ./test-keystore.jks
=Key Format Conversions=
==Native to PKCS#12==
Keys in [[Public_Key_Security#PKCS.2312|PKCS#12]] format can be generated with:
keytool \
    -importkeystore \
    -srckeystore saml.keystore \
    -destkeystore ./test-pvtkey.p12 \
    -deststoretype PKCS12 \
    -srcstorepass somepass \
    -deststorepass someotherpass \
    -srckeypass yetanotherpass \
    -destkeypass someotherpass2 \
    -srcalias myhostname

Latest revision as of 03:48, 9 April 2018

External

Internal

TODO

https://home.feodorov.com:9443/wiki/Wiki.jsp?page=Keytool

Generate a Public/Private Key Pair

A key pair can be generated and placed in the keystore with the following command. The private key thus generated can be used in the procedure to generate digitally signed certificates.

keytool \
   -genkeypair \
   -alias jce-provider-signing-key \
   -keyalg RSA \
   -keysize 2048 \
   -dname "cn=home.feodorov.com, ou=oceanlab, o=feodorov.com, l=Menlo Park, st=CA, c=US" \
   -keystore ./test-keystore.jks \
   -storepass something

For more general considerations on private keys, see:

Private Keys

Generate a Certificate Signing Request

A certificate signing request can be generated with the following command. This step is part of the procedure to generate digitally signed certificates.

keytool \
   -certreq \
   -alias jce-provider-signing-key \
   -file novaordis-jce-provider2.csr \
   -keystore ./jce-provider-signing-keystore.jks \
   -storepass somepass

Inspect a Certificate

The certificate data can be displayed with:

keytool -printcert -v -file ./test-cert.pem

It accepts certificates in PEM format.

Inspect a Keystore

keytool -list -v -keystore ./test-keystore.jks

Import into a Keystore

Import a Private Key into a Keystore

Import a Certificate into a Keystore

Delete from a Keystore

Delete a Private Key from a Keystore

keytool -delete -alias name-of-entry-to-delete -keystore ./test-keystore.jks

Delete a Certificate from a Keystore

Change the Alias of an Entry

 keytool -changealias -alias old-name -destalias new-name -keystore ./test-keystore.jks

Key Format Conversions

Native to PKCS#12

Keys in PKCS#12 format can be generated with:

keytool \
   -importkeystore \
   -srckeystore saml.keystore \
   -destkeystore ./test-pvtkey.p12 \
   -deststoretype PKCS12 \
   -srcstorepass somepass \
   -deststorepass someotherpass \
   -srckeypass yetanotherpass \
   -destkeypass someotherpass2 \
   -srcalias myhostname