Cryptography in Java. Keytool Utility
Hello, Habr! I present to you the translation of the 10th article "Java Keytool" by Jakob Jenkov from a series of articles for beginners who want to learn the basics of cryptography in Java.
Table of contents:
- Java cryptography
- Java cipher
Java Keytool is a command line tool that can generate public key / private key pairs and store them in a keystore . The utility executable file is distributed with the Java SDK (or JRE), so if you have the SDK installed, then it will also be preinstalled.
The executable is called
keytool. To execute it, open a command prompt (cmd, console, shell, etc.). and change the current directory to the directory
binin the Java SDK installation directory. Enter
keytooland then press the key
Enter. You should see something similar to this:
C:\Program Files\Java\jdk1.8.0_111\bin>keytool Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name C:\Program Files\Java\jdk1.8.0_111\bin>
As you can see, the utility
keytoolsupports a set of commands for working with keys, certificates, and key stores. This guide will cover the most commonly used of these commands.
Keytooltake many arguments, the correct installation of which can be difficult to remember. Therefore, it is recommended to create several CMD or Shell scripts with a sequence of commands
Keytool. These scripts make it easy to re-execute commands and also allow you to go back and see how the keystore was created.
Key pair generation
Generating a key pair (public key / private key) is one of the most common tasks for which the utility is used
Keytool. The generated key pair is inserted into the KeyStore file as a self-signed key pair. Here is a common command line format for generating a key pair:
-genkeypair -alias alias -keyalg keyalg -keysize keysize -sigalg sigalg -dname dname -keypass keypass -validity valDays -storetype storetype -keystore keystore -storepass storepass -providerClass provider_class_name -providerArg provider_arg -v -protected -Jjavaoption
The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed and many are optional. The utility will inform you if you missed the required argument. Here is an example of a command that imports a certificate into KeyStore . Remember to remove line breaks when entering a command on the command line.
"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool" -importcert -alias testkey -keypass 123456 -storetype JKS -keystore keystore2.jks -file cert.cert -rfc -storepass abcdef
List of Vault Records
To list the entries in the keystore, you can use the command
list. Below is the format for the team
list. Line breaks are intended to be easy to read. Remove line breaks before executing the command:
-list -alias alias -storetype storetype -keystore keystore -storepass storepass -providerName provider_name -providerClass provider_class_name -providerArg provider_arg -v -rfc -protected -Jjavaoption
Here is an example command
list. Remember to remove line breaks!
"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool" -list -storetype JKS -keystore keystore.jks -storepass abcdef
This command will list all the entries in this keystore. The output will look something like this:
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry testkey, 19-Dec-2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 4F:4C:E2:C5:DA:36:E6:A9:93:6F:10:36:9E:E5:E8:5A:6E:F2:11:16
If you include an argument
aliasin a command
list, only the entry corresponding to the given alias will be included in the list. Here is an example command
listwith an argument
"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool" -list -alias testkey -storetype JKS -keystore keystore.jks -storepass abcdef
The result of the above command:
testkey, 15-Dec-2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 71:B0:6E:F1:E9:5A:E7:F5:5E:78:71:DC:08:80:47:E9:5F:F8:6D:25
Delete a keystore entry
Also in the utility
keytoolhas a team that can remove an entry from the keystore:
delete. Here is the format of this command:
-delete -alias alias -storetype storetype -keystore keystore -storepass storepass -providerName provider_name -providerClass provider_class_name -providerArg provider_arg -v -protected -Jjavaoption
Here is an example of invoking a command
delete. Remember to remove line breaks before starting!
"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool" -delete -alias testkey -storetype JKS -keystore keystore.jks -storepass abcdef
This command deletes the repository entry with the alias
testkeystored in the file
Certificate Request Generation
keytoolcan generate a certificate request using the command
certreq. A certificate request is a request to a certification authority (CA) to create a public certificate for your organization. After creating a certificate request, it must be sent to the certificate authority where you want to create the certificate (for example, Verisign, Thawte or some other certificate authority). Before you can generate a certificate request for a private key and a pair of public keys, you must generate this private key and a pair of public keys in the key store (or import it). How to do this can be found in the corresponding chapter. Here is the command format for generating the certificate request. Remember to remove all line breaks when using this command:
-certreq -alias alias -sigalg sigalg -file certreq_file -keypass keypass -storetype storetype -keystore keystore -storepass storepass -providerName provider_name -providerClass provider_class_name -providerArg provider_arg -v -protected -Jjavaoption
Here is an example command
"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool" -certreq -alias testkey -keypass 123456 -storetype JKS -keystore keystore.jks -storepass abcdef -file certreq.certreq
This command will generate a certificate request for a key stored with an alias
testkeyin the file
keystore.jksand write the certificate request to a file with the name
Keytool utility arguments
The following is a list of arguments that various commands accept
keytool. Remember that not all teams accept all of these arguments. Look at a specific command to see what arguments it takes.
-aliasThe alias for the keystore entry. Remember, an alias
can only point to one key.
-keyalgThe name of the algorithm used to generate the key. Commonly used RSA.
-keysizeThe key size in bits. Typically, key sizes are multiple. In addition, various algorithms can only support certain predefined key sizes.
-sigalgA signature algorithm used to sign a key pair.
-dnameUnique name from the X.500 standard. This name will be associated with an
alias for this key pair in the keystore, also
used as the "issuer" and "subject" fields in the self-signed
-keypassThe key pair password required to
access this particular key pair in the keystore.
-validityThe number of days during which the certificate
attached to the key pair must be valid.
-storetypeThe file format in which the keystore must be saved. The default is JKS. Another option is PKCS11 format.
-keystoreThe name of the repository file for storing the generated
key pair . If the file does not exist, it will be created.
-fileThe name of the file to read or write a certificate or request a certificate.
-storepassThe password from the keystore, everyone who wants to work
with it will need this password. The difference
fact that the first gives access to the repository, and the second to separate
the pair of keys. You will need both passwords to access any key
stored in the vault.
-rfcIf you enable this flag, the utility will use a text format rather than a binary format, for example, for exporting or importing certificates. The -rfc value
refers to RFC 1421.
-providerNameThe name of the cryptographic API provider that you want to use when creating the key pair. The provider name must be specified in the Java security properties files.
-providerClassThe name of the root class of the cryptographic API provider that you want to use. Used when the provider name is not specified in the Java security properties files.
-providerArgArguments passed to the own cryptographic provider during initialization (if necessary by the provider).
-vShort for verbose, Keytool will output a lot of additional information to the command line in a readable format.
-protectedDetermines whether the keystore password should be provided by some external mechanism, for example, a hardware token. Valid values are true and false.
-JjavaoptionA string of options for a Java VM that generates a key pair and creates storage.