Does deleting an alias in a key store using keytool delete the private key?

Question

So if I have a public cert sat in a key store will deleting it using key tool also delete the private key information?

A CSR was produced and the certificate was signed using an external CA then imported.

I take it an Alias can be anything you make it, and deleting a certificate specified by its alias deletes the cert itself and corresponding private key?

Can the Alias be changed in anyway without affecting the key information? Also can the same certificate be imported under a different alias and still work (ie match up with the private key)?

The reason I ask is when importing the certificate I expect to see it listed as type privatekeyentry and not trustedcertentry which it is currently showing up as, not sure why.

The certificate us a root and inter that were previously added and showing up ok.

Update:

Thank you for the reply. So just to clarify my understanding and to make sure I've got it right, renaming an alias for a private key entry is valid as the certificate and key are held together under this one Alias. Same goes with deleting an alias for a private key entry type which will delete both the certificate and key.

So back to one of my original questions, can the certificate be imported again under a different alias and still match up with a private key held in the store? Based on the info id say no, it would need to use the alias as set for the private key previously.

I think the confusion and complexity lies in the fact the private key never leaves the key store, it's generated when a CSR is created and so is never imported at the same time as the certificate.

My problem is that the imported certificate is showing up as a trustedcert entry so I'm guessing it's not matching up to a private key in the store.

Is an alias for a private key specified when a CSR generation is performed? If that's the case is it possible importing the signed certificate under a different alias will cause the two not to match up? The only other thing I can think of is that the wrong CSR was used.

Answer 1

Looking as the source code of the different keystore entry types everything is clear. Keystore supports three types:

• KeyStore.PrivateKeyEntry
• KeyStore.SecretKeyEntry (will be ignored in this answer as we are talking about certificates and private keys)
• KeyStore.TrustedCertificateEntry

Let's go into details:

The type KeyStore.PrivateKeyEntry has three fields:

private final PrivateKey privKey;
private final Certificate[] chain;
private final Set<Attribute> attributes;

In difference the type KeyStore.TrustedCertificateEntry has only two:

private final Certificate cert;
private final Set<Attribute> attributes;

If you enumerate the entries you get only one entry for a certificate + key. Therefore it seems like this is stored in a PrivateKeyEntry. As the combines certificate and key and links it to one alias renaming the alias will affect both, key and certificate.

As each entry in a keystore is totally independent of the other entries you can import the same key and certificate dozens of times as long as every entry has it's own unique alias.

BTW: I remember that the keystore even allows to have multiple entries of the same alias (don't know if that is true for all keystore formats). In such a situation you can only access the first entry by it's alias. The other one is only accessible when you enumerate through all entries.