Cryptography in Java. Keytool Utility

Hello, Habr! I present to you the translation of the 10th article "Java Keytool" by Jakob Jenkov from a series of articles for beginners who want to learn the basics of cryptography in Java.

Table of contents:

1. Java cryptography
2. Java cipher
3. Messagedigest
4. Mac
5. Signature
6. Keypair
7. Keygenerator
8. KeyPairGenerator
9. Keystore
10. Keytool
11. Certificate
12. CertificateFactory
13. CertPath

Keytool Utility

Java Keytool is a command line tool that can generate public key / private key pairs and store them in a keystore . The utility executable file is distributed with the Java SDK (or JRE), so if you have the SDK installed, then it will also be preinstalled.
The executable is called keytool. To execute it, open a command prompt (cmd, console, shell, etc.). and change the current directory to the directory binin the Java SDK installation directory. Enter keytooland then press the key Enter. You should see something similar to this:

C:\Program Files\Java\jdk1.8.0_111\bin>keytool
Key and Certificate Management Tool
Commands:
 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore
Use "keytool -command_name -help" for usage of command_name
C:\Program Files\Java\jdk1.8.0_111\bin>

As you can see, the utility keytoolsupports a set of commands for working with keys, certificates, and key stores. This guide will cover the most commonly used of these commands.

Keytool Scripts

Utility commands Keytooltake many arguments, the correct installation of which can be difficult to remember. Therefore, it is recommended to create several CMD or Shell scripts with a sequence of commands Keytool. These scripts make it easy to re-execute commands and also allow you to go back and see how the keystore was created.

Key pair generation

Generating a key pair (public key / private key) is one of the most common tasks for which the utility is used Keytool. The generated key pair is inserted into the KeyStore file as a self-signed key pair. Here is a common command line format for generating a key pair:

-genkeypair
    -alias alias
    -keyalg keyalg
    -keysize keysize
    -sigalg sigalg
    -dname dname
    -keypass keypass
    -validity valDays
    -storetype storetype
    -keystore keystore
    -storepass storepass
    -providerClass provider_class_name
    -providerArg provider_arg
    -v
    -protected
    -Jjavaoption

The arguments are explained in the Keytool Arguments section. Not all of these arguments are needed and many are optional. The utility will inform you if you missed the required argument. Here is an example of a command that imports a certificate into KeyStore . Remember to remove line breaks when entering a command on the command line.

"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool"
    -importcert
    -alias testkey
    -keypass 123456
    -storetype JKS
    -keystore keystore2.jks
    -file cert.cert
    -rfc
    -storepass abcdef

List of Vault Records

To list the entries in the keystore, you can use the command list. Below is the format for the team list. Line breaks are intended to be easy to read. Remove line breaks before executing the command:

-list
    -alias alias
    -storetype storetype
    -keystore keystore
    -storepass storepass
    -providerName provider_name
    -providerClass provider_class_name
    -providerArg provider_arg
    -v
    -rfc
    -protected
    -Jjavaoption

Here is an example command list. Remember to remove line breaks!

"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool"
    -list
    -storetype JKS
    -keystore keystore.jks
    -storepass abcdef

This command will list all the entries in this keystore. The output will look something like this:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
testkey, 19-Dec-2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 4F:4C:E2:C5:DA:36:E6:A9:93:6F:10:36:9E:E5:E8:5A:6E:F2:11:16

If you include an argument aliasin a command list, only the entry corresponding to the given alias will be included in the list. Here is an example command listwith an argument alias:

"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool"
    -list
    -alias testkey
    -storetype JKS
    -keystore keystore.jks
    -storepass abcdef

The result of the above command:

testkey, 15-Dec-2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 71:B0:6E:F1:E9:5A:E7:F5:5E:78:71:DC:08:80:47:E9:5F:F8:6D:25

Delete a keystore entry

Also in the utility keytoolhas a team that can remove an entry from the keystore: delete. Here is the format of this command:

-delete
    -alias alias
    -storetype storetype
    -keystore keystore
    -storepass storepass
    -providerName provider_name
    -providerClass provider_class_name
    -providerArg provider_arg
    -v
    -protected
    -Jjavaoption

Here is an example of invoking a command delete. Remember to remove line breaks before starting!

"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool"
    -delete
    -alias testkey
    -storetype JKS
    -keystore keystore.jks
    -storepass abcdef

This command deletes the repository entry with the alias testkeystored in the file keystore.jks.

Certificate Request Generation

The utility keytoolcan generate a certificate request using the command certreq. A certificate request is a request to a certification authority (CA) to create a public certificate for your organization. After creating a certificate request, it must be sent to the certificate authority where you want to create the certificate (for example, Verisign, Thawte or some other certificate authority). Before you can generate a certificate request for a private key and a pair of public keys, you must generate this private key and a pair of public keys in the key store (or import it). How to do this can be found in the corresponding chapter. Here is the command format for generating the certificate request. Remember to remove all line breaks when using this command:

-certreq
    -alias alias
    -sigalg sigalg
    -file certreq_file
    -keypass keypass
    -storetype storetype
    -keystore keystore
    -storepass storepass
    -providerName provider_name
    -providerClass provider_class_name
      -providerArg provider_arg
    -v
    -protected
    -Jjavaoption

Here is an example command -certreq:

"C:\\Program Files\Java\jdk1.8.0_111\bin\keytool"
    -certreq
    -alias testkey
    -keypass 123456
    -storetype JKS
    -keystore keystore.jks
    -storepass abcdef
    -file certreq.certreq

This command will generate a certificate request for a key stored with an alias testkeyin the file keystore.jksand write the certificate request to a file with the name certreq.certreq.

Keytool utility arguments

The following is a list of arguments that various commands accept keytool. Remember that not all teams accept all of these arguments. Look at a specific command to see what arguments it takes.

• -aliasThe alias for the keystore entry. Remember, an alias
  can only point to one key.
• -keyalgThe name of the algorithm used to generate the key. Commonly used RSA.
• -keysizeThe key size in bits. Typically, key sizes are multiple. In addition, various algorithms can only support certain predefined key sizes.
• -sigalg A signature algorithm used to sign a key pair.
• -dnameUnique name from the X.500 standard. This name will be associated with an
  alias for this key pair in the keystore, also
  used as the "issuer" and "subject" fields in the self-signed
  certificate.
• -keypassThe key pair password required to
  access this particular key pair in the keystore.
• -validityThe number of days during which the certificate
  attached to the key pair must be valid.
• -storetypeThe file format in which the keystore must be saved. The default is JKS. Another option is PKCS11 format.
• -keystoreThe name of the repository file for storing the generated
  key pair . If the file does not exist, it will be created.
• -file The name of the file to read or write a certificate or request a certificate.
• -storepassThe password from the keystore, everyone who wants to work
  with it will need this password. The difference storepassfrom the keypassin
  fact that the first gives access to the repository, and the second to separate
  the pair of keys. You will need both passwords to access any key
  stored in the vault.
• -rfcIf you enable this flag, the utility will use a text format rather than a binary format, for example, for exporting or importing certificates. The -rfc value
  refers to RFC 1421.
• -providerNameThe name of the cryptographic API provider that you want to use when creating the key pair. The provider name must be specified in the Java security properties files.
• -providerClassThe name of the root class of the cryptographic API provider that you want to use. Used when the provider name is not specified in the Java security properties files.
• -providerArg Arguments passed to the own cryptographic provider during initialization (if necessary by the provider).
• -v Short for verbose, Keytool will output a lot of additional information to the command line in a readable format.
• -protectedDetermines whether the keystore password should be provided by some external mechanism, for example, a hardware token. Valid values ​​are true and false.
• -Jjavaoption A string of options for a Java VM that generates a key pair and creates storage.