Keytool Program
The keytool program is a security tool included in the bin directory of the Java SDK. Which can be used to manage public key cryptography key pairs. It can used to manage key databases. Mainly there are two type of databases.
KeyStore
Which is used when a java program act as a server. That contains both private and corresponding key pairs.
TrustStore
Which contains public keys which is used when it act as client. When a server present it’s key to the client it check can I trust this certificate. To do so it checks is it signed by a Trusted Certificate Authority (which public key of the CA is with its trust store).
Creating a trust store with CA certificates
[user@localhost certificates]$ ls -al
total 8 -rw-rw-r--. 1 user user 1360 Feb 11 2016 DigiCertGlobalRootCA.crt -rw-rw-r--. 1 user user 806 Apr 29 2009 ThawteServerCA.cer [user@localhost certificates]$ keytool -import -file DigiCertGlobalRootCA.crt -alias DigiCertGlobalRootCA -keystore TrustStore Enter keystore password: Re-enter new password: Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial number: 83be056904246b1a1756ac95991c74a Valid from: Fri Nov 10 05:30:00 IST 2006 until: Mon Nov 10 05:30:00 IST 2031 Certificate fingerprints: MD5: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f....... 0010: B2 3D D1 55 .=.U ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f....... 0010: B2 3D D1 55 .=.U ] ] Trust this certificate? [no]: yes Certificate was added to keystore [user@localhost certificates]$ keytool -import -file ThawteServerCA.cer -alias ThawteServerCA -keystore TrustStore Enter keystore password:
Owner: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 34a4fff630af4ca53c331742a1946675 Valid from: Thu Aug 01 06:30:00 IST 1996 until: Sat Jan 02 05:29:59 IST 2021 Certificate fingerprints: MD5: EE:FE:61:69:65:6E:F8:9C:C6:2A:F4:D7:2B:63:EF:A2 SHA1: 9F:AD:91:A6:CE:6A:C6:C5:00:47:C4:4E:C9:D4:A5:0D:92:D8:49:79 SHA256: 87:C6:78:BF:B8:B2:5F:38:F7:E9:7B:33:69:56:BB:CF:14:4B:BA:CA:A5:36:47:E6:1A:23:25:BC:10:55:31:6B Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] Trust this certificate? [no]: yes Certificate was added to keystore [user@localhost certificates]$ keytool -list -keystore TrustStore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries digicertglobalrootca, Feb 11, 2016, trustedCertEntry, Certificate fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 thawteserverca, Feb 11, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 9F:AD:91:A6:CE:6A:C6:C5:00:47:C4:4E:C9:D4:A5:0D:92:D8:49:79 [user@localhost certificates]$
No comments:
Post a Comment