Keystore and Certificate concepts

6
votes

After I did some research about keystore and certificate, I found the following guides:

  1. Understanding keystore, certificates and alias
  2. Java Keytool Essentials: Working with Java Keystores

Correct me if I am wrong. From what I understand (and tested):

  1. Using "keytool -genkeypair -alias testingkeypair -keyalg RSA -keystore keystore.jks" in cmd will generate a keystore.jks file which contains a private and public key pair with alias "domain"
  2. The keystore.jks file is then used to sign/export certificates
  3. The keystore.jks file can also be used to store multiple certificates

The thing that I do not understand is that, before I import any certificate into the keystore.jks file, when I try to see what is inside (using keytool -list -v -keystore keystore.jks), there appears to be a certificate already inside. Is it a default certificate for that keystore? I thought "keytool -genkeypair" will only generate a keystore with a keypair?

The result of keytool -list -v -keystore keystore.jks :

Keystore type: JKS Keystore provider: SUN

Your keystore contains 1 entry

Alias name: testingkeypair Creation date: Jan 11, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner:CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Issuer: CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Serial number: 650d8951 Valid from: Mon Jan 11 14:43:52 SGT 2016 until: Sun Apr 10 14:43:52 SGT 2016 Certificate fingerprints: MD5: F0:74:9F:27:F0:08:AB:A0:BE:B2:A0:F2:94:45:94:90 SHA1: 87:0C:E2:E2:06:A6:52:4E:0C:40:E9:B0:DE:75:A7:8C:CC:01:45:57 SHA256: D1:B2:63:F0:85:A7:06:2E:7D:2B:E1:1E:91:9E:62:56:22:E7:61:36:E6: 23:8A:6F:21:EF:2B:79:0D:12:B8:38 Signature algorithm name: SHA256withRSA Version: 3

2
javassl

2 Answers

4
votes

After some more research, I have found the answer that I wanted. It was in the official javadoc for keytool. http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html#genkeyCmd

It appears that whenever -genkey is used, a pair of public/private key pair is generated and the public key is wrapped around a certificate (self-signed). Hence the certificate I see when I use "keytool -list -v" command straightly after -genkey command is the certificate for the public key.

1
votes

Command given in your second link is the answer . keytool -certreq \ -alias domain \ -file domain.csr \ -keystore keystore.jks

You need to generate certificate request which will generate certificate signing request .csr file. .csr file will have your certificate details along with public key and .jks file will have your private key. You need to send .csr file to CA like Symntac to get it signed. CA will sign it and provide you .cer or .crt (Signed certificate). which you would need to import to your .jks(java key store). keytool -importcert \ -trustcacerts -file domain.crt \ -alias domain \ -keystore keystore.jks

.jks is like a database to store certs and keys.