Thursday, 15 August 2013

Keytool Explored

Key tool is a utility provided by JDK to generate following thing.

1. Symmetric key

keytool -genseckey -alias mykey -keyalg AES -keysize 128 -storetype jceks -keystore keystore.jks -storepass password -keypass password

2. Key-pair (private / public key)

Key pair generates private key / public key pair in a single file which is called as keystore. A keystore can contain more than one private/public keys. private/ public key pair can be considered as a padlock with a key. And Keystore is a box having many of these padlock and key pairs. To lock any data the public key that is the padlock can be given to the user

keytool -genkeypair -alias mykey -keyalg RSA -keysize 1024 -storetype jceks -validity 365 -keypass password -keystore ppkeystore.jck -storepass password -dname "cn=localhost, ou=Verisign, o=MyComp Inc, l=Foster City, st=California, c=US"

3. Export Certificate from key pair

As mentioned above a public key can be given to user to encrypt data. A public key can be considered as open padlock which can be used to lock something but cannot be used to unlock.

keytool -export -alias mykey -storetype jceks -keystore ppkeystore.jck -storepass password -file public.crt

4. Request a Certificate from a Certificate Authority

This certificate is of standard X.509 that is the Public key Infrastructure for 509. This standard is used to generate certificates by Certificate Authority(CA).

The certificate contains IssuerValidityPublic Key Info. The certificate itself is digitally signed by the private key of the issuing authority like Thawte, Verisign and the signature is also embedded in the certificate in the Signature Algorithm section. This type of certificates that are issued by a third party are generally used for webapplications that need to run on HTTPS/SSL port.
 The browser verifies the certificate. To validate the certificate a second certificate is required that matches the issuer of the fist certificate. This certificates is called the root certificate of the issuing authority. This certificate contains the public key of the private/public key pair of whose private key was used the sign the first certificate. All Browser now a days come with a list of these root certificates. 
In Chrome if we go to Settings->>HTTPS/SSL -> Manage Certificates, in the trusted root certificates all root certificate will appear from Certificate issuing authority. When the browser goes to a url which is working on HTTPS than the browser fetches the certificate issued by CA for HTTPS to this URL and than checks the issuer of that certificate and than validates that certificate using the root certificate of that issuer. If the root certificate of the issuer is not present in the Trusted Root Certificate than the browser will give a warning and ask the user to trust the certificate manually. This happens usually when developer uses a self signed certificate for development and testing.

Above the first figure on left hand side shows the browser has verified the CA and also mentions the encryption algorithm. In the second figure since the certificate was a self signed certificate and the root certificate is not present the browser is not able to validate the identity of CA and asks user to manually trust the certificate.

5. Import a Certificate in a truststore.

Trusstore is a collection of open padlock that is public certificate key. To add a public certificate to a trusstore used importcert command as mentioned below.

keytool -importcert -alias mykey -file public.crt -keystore pptruststore.jck -keypass password -storepass password
Owner: CN=localhost, OU=Verisign, O=MyComp Inc, L=Foster City, ST=California, C=US
Issuer: CN=localhost, OU=Verisign, O=MyComp Inc, L=Foster City, ST=California, C=US
Serial number: 5218562e
Valid from: Sat Aug 24 12:13:58 IST 2013 until: Sun Aug 24 12:13:58 IST 2014
Certificate fingerprints:
         MD5:  FC:CA:65:5D:25:0D:4A:4F:7E:4F:B9:A0:31:6B:42:16
         SHA1: C2:FD:48:18:E5:EF:9D:B4:3E:3F:34:3E:D3:24:B1:42:A4:EE:F3:52
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

A prompt is shown asking whether the user trusts the certificate or not. This prompt appears because the certificate generated is not generated by a trusted authority and it is a self signed certificate. That means the issuer of the certificate and the party to whom the certificate is issued are same.
If the certificate is from a verified authority than the prompt is not shown.
The entry of various verified certificate authorities is present in cacerts file present in JAVA_HOME/jre/lib/security folder. 


  1. Thanks for sharing this useful information and that's great one.

  2. This comment has been removed by the author.


Share the post