Sunday, September 13, 2009

How to generate a keypair

How to generate keypair by using keytool


1. Generate Keypair and keystore.

The following command generates a keypair which will valid for 20 years .

C:\>keytool -genkeypair -alias test -validity 7200 -keystore teststore -storepass passw0rd -keypass passw0rd -dname "cn=test, ou=test, o=test, l=test, st=test, c=test"

The keystore will be created if there is no keystore named teststore in the working directory.
2. Export public key certificateExport.

The following command exports the public key certificate that we hava just generated in step 1:

C:\>keytool -exportcert -alias test -keystore teststore -storepass passw0rd -file testcert.cer

Certificate stored in file

You'll find the public key certificate named testcert.cer in current working directory


3. Import public key certificate to keystore as a trusted certificate entry

The following command imports the public key certificate to keystore

C:\>keytool -import -trustcacerts -alias testtrusted -keystore teststore -storepass passw0rd -file testcert.cer

Certificate already exists in keystore under alias

Do you still want to add it? [no]: yes

Certificate was added to keystore


4. View keystore details:

C:\>keytool -list -v -keystore teststore -storepass passw0rd
Keystore type: JKSKeystore provider: SUN
Your keystore contains 2 entries
Alias name: testtrustedCreation date: Sep 13, 2009Entry type: trustedCertEntry
Owner: CN=test, OU=test, O=test, L=test, ST=test, C=testIssuer: CN=test, OU=test, O=test, L=test, ST=test, C=testSerial number: 4aacbeadValid from: Sun Sep 13 17:43:09 SGT 2009 until: Thu May 31 17:43:09 SGT 2029Certificate fingerprints:

MD5: CC:4B:EC:BD:10:F0:B0:8E:39:01:B9:C7:54:81:6B:76

SHA1: 3F:5E:48:94:D4:78:F4:4D:FC:8F:64:86:7E:87:7B:AE:4B:D0:C4:7F Signature algorithm name: SHA1withDSA Version: 3
**************************************************************************************
Alias name: testCreation date: Sep 13, 2009Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=test, OU=test, O=test, L=test, ST=test, C=testIssuer: CN=test, OU=test, O=test, L=test, ST=test, C=testSerial number: 4aacbeadValid from: Sun Sep 13 17:43:09 SGT 2009 until: Thu May 31 17:43:09 SGT 2029Certificate fingerprints: MD5: CC:4B:EC:BD:10:F0:B0:8E:39:01:B9:C7:54:81:6B:76 SHA1: 3F:5E:48:94:D4:78:F4:4D:FC:8F:64:86:7E:87:7B:AE:4B:D0:C4:7F Signature algorithm name: SHA1withDSA Version: 3
**************************************************************************************
PrivateKeyEntry will be used for server to establish ssl communication, while trustedCertEntry will be used for certificate
validity checking during ssl handshake. to be clearly, the public key certificate from PrivateKeyEntry will be sent from server
to client during ssl handshake, then client will verify that certicate against its trusted keystore, if client find that
certificate or its root certicate is already in its trusted keystore, then the client will say the server is trusted, then a SSL
session will be established.

Posted by minfei at 5:44 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)