Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between Entry Type "keyEntry" and "trustedCertEntry" in a keystore

Tags:

certificate

ssl-certificate

keystore

keytool

jks

I don't have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.

Case 1(Works):

I have a CA signed certificate and i would like to use it in my Web Application. I first created a keystore. I see that it creates an entry type "keyEntry" in the keystore. Then i import the CA signed certificate to the keystore created.

Here are the steps:

keytool -genkeypair  -keystore keystore.jks

I see an entry in the keystore of type "keyEntry" of alias "mykey"

Now i import the certificate:

keytool -importcert -alias abc -file cert.crt -keystore keystore.jks

Now i see another entry of trype "trustedcertEntry".

With this keystore i am able to access my web application when i uploaded it.

Case 2 (doesn't work):

I create a keystore on the fly while importing the certificate.

keytool -importcert  -alias abc -file cert.crt -keystore keystore2.jks

Here i see only one entry type which is "trustedcertEntry"

With this keystore i am not able to access my web application.

Question:

What is key entry type "keyEntry" and "trustedcertEntry" and why does my keystore works only when i have the entry type "keyEntry"

like image 275
bluefoggy Avatar asked Feb 16 '15 15:02

bluefoggy

1 Answers

My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.

In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.

I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.

A keyEntry (I think!) is a public/private key pair without the certificate.

A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.

like image 94
duct_tape_coder Avatar answered Sep 22 '22 09:09

duct_tape_coder
Sign in to Comment

Related questions

How to do client certificate authentication with Apache
One self-signed cert to rule them all? Chrome, Android, and iOS
How to Connect localhost (with invalid certificate) using Alamofire?
How to set ca-bundle path for OpenSSL in ruby
Apple Push Notifications, how do I properly export my cert?
Which certificate should I use to sign my Mac OS X application?
What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
How to install a certificate in Xcode (preparing for app store submission)
Java jnlp application blocked by Security settings
keytool -genkey error: Keystore file does not exist
Multiple Certificates/Provisioning Profiles in one Xcode organizer?
Using client certificate not in certificate store
How to create CSR with SANs using keytool
How to create a X509 certificate using Java?
Could not create SSL/TLS secure channel - Could the problem be a proxy server?
How to convert .p12 to .crt file?
Pull from github without authentication every time
iPhone Developer' doesn't match any valid, non-expired certificate/private key pair-BUT I'm creating and Ipad app [duplicate]
https client certificate logout/relogin
Cross domain jQuery ajax call with credentials

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!