After I did some research about keystore and certificate, I found the following guides:
Correct me if I am wrong. From what I understand (and tested):
The thing that I do not understand is that, before I import any certificate into the keystore.jks file, when I try to see what is inside (using keytool -list -v -keystore keystore.jks), there appears to be a certificate already inside. Is it a default certificate for that keystore? I thought "keytool -genkeypair" will only generate a keystore with a keypair?
The result of keytool -list -v -keystore keystore.jks :
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
Alias name: testingkeypair Creation date: Jan 11, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner:CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Issuer: CN=testing, OU=testing, O=testing, L=testing, ST=testing, C=testing Serial number: 650d8951 Valid from: Mon Jan 11 14:43:52 SGT 2016 until: Sun Apr 10 14:43:52 SGT 2016 Certificate fingerprints: MD5: F0:74:9F:27:F0:08:AB:A0:BE:B2:A0:F2:94:45:94:90 SHA1: 87:0C:E2:E2:06:A6:52:4E:0C:40:E9:B0:DE:75:A7:8C:CC:01:45:57 SHA256: D1:B2:63:F0:85:A7:06:2E:7D:2B:E1:1E:91:9E:62:56:22:E7:61:36:E6: 23:8A:6F:21:EF:2B:79:0D:12:B8:38 Signature algorithm name: SHA256withRSA Version: 3
By default, the Application Server stores its certificate information in two files in the domain-dir /config directory: Keystore file, keystore. jks, contains the Application Server's certificate, including its private key. The keystore file is protected with a password, initially changeit.
Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
There are various different types of KeyStore supported by KeyStore Explorer: JKS Java KeyStore. Oracle's KeyStore format. JCEKS Java Cryptography Extension KeyStore.
After some more research, I have found the answer that I wanted. It was in the official javadoc for keytool. http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html#genkeyCmd
It appears that whenever -genkey is used, a pair of public/private key pair is generated and the public key is wrapped around a certificate (self-signed). Hence the certificate I see when I use "keytool -list -v" command straightly after -genkey command is the certificate for the public key.
Command given in your second link is the answer . keytool -certreq \ -alias domain \ -file domain.csr \ -keystore keystore.jks
You need to generate certificate request which will generate certificate signing request .csr file. .csr file will have your certificate details along with public key and .jks file will have your private key. You need to send .csr file to CA like Symntac to get it signed. CA will sign it and provide you .cer or .crt (Signed certificate). which you would need to import to your .jks(java key store). keytool -importcert \ -trustcacerts -file domain.crt \ -alias domain \ -keystore keystore.jks
.jks is like a database to store certs and keys.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With