author | phh |
Sat, 30 Nov 2019 14:33:05 -0800 | |
changeset 59330 | 5b96c12f909d |
parent 55140 | d4890c3721be |
permissions | -rw-r--r-- |
55140 | 1 |
.\"t |
2 |
.\" Copyright (c) 1994, 2019, Oracle and/or its affiliates. All rights reserved. |
|
31876
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
3 |
.\" DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
4 |
.\" |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
5 |
.\" This code is free software; you can redistribute it and/or modify it |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
6 |
.\" under the terms of the GNU General Public License version 2 only, as |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
7 |
.\" published by the Free Software Foundation. |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
8 |
.\" |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
9 |
.\" This code is distributed in the hope that it will be useful, but WITHOUT |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
10 |
.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
11 |
.\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
12 |
.\" version 2 for more details (a copy is included in the LICENSE file that |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
13 |
.\" accompanied this code). |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
14 |
.\" |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
15 |
.\" You should have received a copy of the GNU General Public License version |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
16 |
.\" 2 along with this work; if not, write to the Free Software Foundation, |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
17 |
.\" Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
18 |
.\" |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
19 |
.\" Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
20 |
.\" or visit www.oracle.com if you need additional information or have any |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
21 |
.\" questions. |
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
22 |
.\" |
55140 | 23 |
.\" Automatically generated by Pandoc 2.3.1 |
21743 | 24 |
.\" |
55140 | 25 |
.TH "KEYTOOL" "1" "2019" "JDK 13" "JDK Commands" |
26 |
.hy |
|
27 |
.SH NAME |
|
28 |
.PP |
|
29 |
keytool \- a key and certificate management utility |
|
30 |
.SH SYNOPSIS |
|
31 |
.PP |
|
32 |
\f[CB]keytool\f[R] [\f[I]commands\f[R]] |
|
33 |
.TP |
|
34 |
.B \f[I]commands\f[R] |
|
35 |
Commands for \f[CB]keytool\f[R] include the following: |
|
36 |
.RS |
|
37 |
.IP \[bu] 2 |
|
38 |
\f[CB]\-certreq\f[R]: Generates a certificate request |
|
39 |
.IP \[bu] 2 |
|
40 |
\f[CB]\-changealias\f[R]: Changes an entry\[aq]s alias |
|
41 |
.IP \[bu] 2 |
|
42 |
\f[CB]\-delete\f[R]: Deletes an entry |
|
43 |
.IP \[bu] 2 |
|
44 |
\f[CB]\-exportcert\f[R]: Exports certificate |
|
45 |
.IP \[bu] 2 |
|
46 |
\f[CB]\-genkeypair\f[R]: Generates a key pair |
|
47 |
.IP \[bu] 2 |
|
48 |
\f[CB]\-genseckey\f[R]: Generates a secret key |
|
49 |
.IP \[bu] 2 |
|
50 |
\f[CB]\-gencert\f[R]: Generates a certificate from a certificate request |
|
51 |
.IP \[bu] 2 |
|
52 |
\f[CB]\-importcert\f[R]: Imports a certificate or a certificate chain |
|
53 |
.IP \[bu] 2 |
|
54 |
\f[CB]\-importpass\f[R]: Imports a password |
|
55 |
.IP \[bu] 2 |
|
56 |
\f[CB]\-importkeystore\f[R]: Imports one or all entries from another |
|
57 |
keystore |
|
58 |
.IP \[bu] 2 |
|
59 |
\f[CB]\-keypasswd\f[R]: Changes the key password of an entry |
|
60 |
.IP \[bu] 2 |
|
61 |
\f[CB]\-list\f[R]: Lists entries in a keystore |
|
62 |
.IP \[bu] 2 |
|
63 |
\f[CB]\-printcert\f[R]: Prints the content of a certificate |
|
64 |
.IP \[bu] 2 |
|
65 |
\f[CB]\-printcertreq\f[R]: Prints the content of a certificate request |
|
66 |
.IP \[bu] 2 |
|
67 |
\f[CB]\-printcrl\f[R]: Prints the content of a Certificate Revocation List |
|
68 |
(CRL) file |
|
69 |
.IP \[bu] 2 |
|
70 |
\f[CB]\-storepasswd\f[R]: Changes the store password of a keystore |
|
71 |
.IP \[bu] 2 |
|
72 |
\f[CB]\-showinfo\f[R]: Displays security\-related information |
|
73 |
.PP |
|
74 |
See \f[B]Commands and Options\f[R] for a description of these commands |
|
75 |
with their options. |
|
76 |
.RE |
|
77 |
.SH DESCRIPTION |
|
78 |
.PP |
|
79 |
The \f[CB]keytool\f[R] command is a key and certificate management |
|
80 |
utility. |
|
81 |
It enables users to administer their own public/private key pairs and |
|
82 |
associated certificates for use in self\-authentication (where a user |
|
83 |
authenticates themselves to other users and services) or data integrity |
|
84 |
and authentication services, by using digital signatures. |
|
85 |
The \f[CB]keytool\f[R] command also enables users to cache the public keys |
|
86 |
(in the form of certificates) of their communicating peers. |
|
87 |
.PP |
|
88 |
A certificate is a digitally signed statement from one entity (person, |
|
89 |
company, and so on), which says that the public key (and some other |
|
90 |
information) of some other entity has a particular value. |
|
91 |
When data is digitally signed, the signature can be verified to check |
|
92 |
the data integrity and authenticity. |
|
93 |
Integrity means that the data hasn\[aq]t been modified or tampered with, |
|
94 |
and authenticity means that the data comes from the individual who |
|
95 |
claims to have created and signed it. |
|
96 |
.PP |
|
97 |
The \f[CB]keytool\f[R] command also enables users to administer secret |
|
98 |
keys and passphrases used in symmetric encryption and decryption (Data |
|
99 |
Encryption Standard). |
|
100 |
It can also display other security\-related information. |
|
101 |
.PP |
|
102 |
The \f[CB]keytool\f[R] command stores the keys and certificates in a |
|
103 |
keystore. |
|
104 |
.SH COMMAND AND OPTION NOTES |
|
105 |
.PP |
|
106 |
The following notes apply to the descriptions in \f[B]Commands and |
|
107 |
Options\f[R]: |
|
108 |
.IP \[bu] 2 |
|
109 |
All command and option names are preceded by a hyphen sign |
|
110 |
(\f[CB]\-\f[R]). |
|
111 |
.IP \[bu] 2 |
|
112 |
Only one command can be provided. |
|
113 |
.IP \[bu] 2 |
|
114 |
Options for each command can be provided in any order. |
|
115 |
.IP \[bu] 2 |
|
116 |
There are two kinds of options, one is single\-valued which should be |
|
117 |
only provided once. |
|
118 |
If a single\-valued option is provided multiple times, the value of the |
|
119 |
last one is used. |
|
120 |
The other type is multi\-valued, which can be provided multiple times |
|
121 |
and all values are used. |
|
122 |
The only multi\-valued option currently supported is the \f[CB]\-ext\f[R] |
|
123 |
option used to generate X.509v3 certificate extensions. |
|
124 |
.IP \[bu] 2 |
|
125 |
All items not italicized or in braces ({ }) or brackets ([ ]) are |
|
126 |
required to appear as is. |
|
127 |
.IP \[bu] 2 |
|
128 |
Braces surrounding an option signify that a default value is used when |
|
129 |
the option isn\[aq]t specified on the command line. |
|
130 |
Braces are also used around the \f[CB]\-v\f[R], \f[CB]\-rfc\f[R], and |
|
131 |
\f[CB]\-J\f[R] options, which have meaning only when they appear on the |
|
132 |
command line. |
|
133 |
They don\[aq]t have any default values. |
|
134 |
.IP \[bu] 2 |
|
135 |
Brackets surrounding an option signify that the user is prompted for the |
|
136 |
values when the option isn\[aq]t specified on the command line. |
|
137 |
For the \f[CB]\-keypass\f[R] option, if you don\[aq]t specify the option |
|
138 |
on the command line, then the \f[CB]keytool\f[R] command first attempts to |
|
139 |
use the keystore password to recover the private/secret key. |
|
140 |
If this attempt fails, then the \f[CB]keytool\f[R] command prompts you for |
|
141 |
the private/secret key password. |
|
142 |
.IP \[bu] 2 |
|
143 |
Items in italics (option values) represent the actual values that must |
|
144 |
be supplied. |
|
145 |
For example, here is the format of the \f[CB]\-printcert\f[R] command: |
|
146 |
.RS 2 |
|
147 |
.RS |
|
148 |
.PP |
|
149 |
\f[CB]keytool\ \-printcert\f[R] {\f[CB]\-file\f[R] \f[I]cert_file\f[R]} |
|
150 |
{\f[CB]\-v\f[R]} |
|
151 |
.RE |
|
152 |
.PP |
|
153 |
When you specify a \f[CB]\-printcert\f[R] command, replace |
|
154 |
\f[I]cert_file\f[R] with the actual file name, as follows: |
|
155 |
\f[CB]keytool\ \-printcert\ \-file\ VScert.cer\f[R] |
|
156 |
.RE |
|
157 |
.IP \[bu] 2 |
|
158 |
Option values must be enclosed in quotation marks when they contain a |
|
159 |
blank (space). |
|
160 |
.SH COMMANDS AND OPTIONS |
|
161 |
.PP |
|
162 |
The keytool commands and their options can be grouped by the tasks that |
|
163 |
they perform. |
|
164 |
.PP |
|
165 |
\f[B]Commands for Creating or Adding Data to the Keystore\f[R]: |
|
166 |
.IP \[bu] 2 |
|
167 |
\f[CB]\-gencert\f[R] |
|
168 |
.IP \[bu] 2 |
|
169 |
\f[CB]\-genkeypair\f[R] |
|
170 |
.IP \[bu] 2 |
|
171 |
\f[CB]\-genseckey\f[R] |
|
172 |
.IP \[bu] 2 |
|
173 |
\f[CB]\-importcert\f[R] |
|
174 |
.IP \[bu] 2 |
|
175 |
\f[CB]\-importpass\f[R] |
|
176 |
.PP |
|
177 |
\f[B]Commands for Importing Contents from Another Keystore\f[R]: |
|
178 |
.IP \[bu] 2 |
|
179 |
\f[CB]\-importkeystore\f[R] |
|
180 |
.PP |
|
181 |
\f[B]Commands for Generating a Certificate Request\f[R]: |
|
182 |
.IP \[bu] 2 |
|
183 |
\f[CB]\-certreq\f[R] |
|
184 |
.PP |
|
185 |
\f[B]Commands for Exporting Data\f[R]: |
|
186 |
.IP \[bu] 2 |
|
187 |
\f[CB]\-exportcert\f[R] |
|
188 |
.PP |
|
189 |
\f[B]Commands for Displaying Data\f[R]: |
|
190 |
.IP \[bu] 2 |
|
191 |
\f[CB]\-list\f[R] |
|
192 |
.IP \[bu] 2 |
|
193 |
\f[CB]\-printcert\f[R] |
|
194 |
.IP \[bu] 2 |
|
195 |
\f[CB]\-printcertreq\f[R] |
|
196 |
.IP \[bu] 2 |
|
197 |
\f[CB]\-printcrl\f[R] |
|
198 |
.PP |
|
199 |
\f[B]Commands for Managing the Keystore\f[R]: |
|
200 |
.IP \[bu] 2 |
|
201 |
\f[CB]\-storepasswd\f[R] |
|
202 |
.IP \[bu] 2 |
|
203 |
\f[CB]\-keypasswd\f[R] |
|
204 |
.IP \[bu] 2 |
|
205 |
\f[CB]\-delete\f[R] |
|
206 |
.IP \[bu] 2 |
|
207 |
\f[CB]\-changealias\f[R] |
|
208 |
.PP |
|
209 |
\f[B]Commands for Displaying Security\-related Information\f[R]: |
|
210 |
.IP \[bu] 2 |
|
211 |
\f[CB]\-showinfo\f[R] |
|
212 |
.SH COMMANDS FOR CREATING OR ADDING DATA TO THE KEYSTORE |
|
213 |
.TP |
|
214 |
.B \f[CB]\-gencert\f[R] |
|
215 |
The following are the available options for the \f[CB]\-gencert\f[R] |
|
216 |
command: |
|
217 |
.RS |
|
218 |
.IP \[bu] 2 |
|
219 |
{\f[CB]\-rfc\f[R]}: Output in RFC (Request For Comment) style |
|
220 |
.IP \[bu] 2 |
|
221 |
{\f[CB]\-infile\f[R] \f[I]infile\f[R]}: Input file name |
|
222 |
.IP \[bu] 2 |
|
223 |
{\f[CB]\-outfile\f[R] \f[I]outfile\f[R]}: Output file name |
|
224 |
.IP \[bu] 2 |
|
225 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
226 |
.IP \[bu] 2 |
|
227 |
{\f[CB]\-sigalg\f[R] \f[I]sigalg\f[R]}: Signature algorithm name |
|
228 |
.IP \[bu] 2 |
|
229 |
{\f[CB]\-dname\f[R] \f[I]dname\f[R]}: Distinguished name |
|
230 |
.IP \[bu] 2 |
|
231 |
{\f[CB]\-startdate\f[R] \f[I]startdate\f[R]}: Certificate validity start |
|
232 |
date and time |
|
233 |
.IP \[bu] 2 |
|
234 |
{\f[CB]\-ext\f[R] \f[I]ext\f[R]}*: X.509 extension |
|
235 |
.IP \[bu] 2 |
|
236 |
{\f[CB]\-validity\f[R] \f[I]days\f[R]}: Validity number of days |
|
237 |
.IP \[bu] 2 |
|
238 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
239 |
.IP \[bu] 2 |
|
240 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
241 |
.IP \[bu] 2 |
|
242 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
243 |
.IP \[bu] 2 |
|
244 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
245 |
.IP \[bu] 2 |
|
246 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
247 |
.IP \[bu] 2 |
|
248 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
249 |
\f[I]arg\f[R]]}: Adds a security provider by name (such as SunPKCS11) |
|
250 |
with an optional configure argument. |
|
251 |
The value of the security provider is the name of a security provider |
|
252 |
that is defined in a module. |
|
253 |
.RS 2 |
|
254 |
.PP |
|
255 |
For example, |
|
256 |
.RS |
|
257 |
.PP |
|
258 |
\f[CB]keytool\ \-addprovider\ SunPKCS11\ \-providerarg\ some.cfg\ ...\f[R] |
|
259 |
.RE |
|
260 |
.PP |
|
261 |
\f[B]Note:\f[R] |
|
262 |
.PP |
|
263 |
For compatibility reasons, the SunPKCS11 and OracleUcrypto providers can |
|
264 |
still be loaded with |
|
265 |
\f[CB]\-providerclass\ sun.security.pkcs11.SunPKCS11\f[R] and |
|
266 |
\f[CB]\-providerclass\ com.oracle.security.crypto.UcryptoProvider\f[R] |
|
267 |
even if they are now defined in modules. |
|
268 |
These are the only modules included in JDK that need a configuration, |
|
269 |
and therefore the most widely used with the \f[CB]\-providerclass\f[R] |
|
270 |
option. |
|
271 |
For legacy security providers located on classpath and loaded by |
|
272 |
reflection, \f[CB]\-providerclass\f[R] should still be used. |
|
273 |
.RE |
|
274 |
.IP \[bu] 2 |
|
275 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
276 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
277 |
an optional configure argument. |
|
278 |
.RS 2 |
|
279 |
.PP |
|
280 |
For example, if \f[CB]MyProvider\f[R] is a legacy provider loaded via |
|
281 |
reflection, |
|
282 |
.RS |
|
283 |
.PP |
|
284 |
\f[CB]keytool\ \-providerclass\ com.example.MyProvider\ ...\f[R] |
|
285 |
.RE |
|
286 |
.RE |
|
287 |
.IP \[bu] 2 |
|
288 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
289 |
.IP \[bu] 2 |
|
290 |
{\f[CB]\-v\f[R]}: Verbose output |
|
291 |
.IP \[bu] 2 |
|
292 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
293 |
.PP |
|
294 |
Use the \f[CB]\-gencert\f[R] command to generate a certificate as a |
|
295 |
response to a certificate request file (which can be created by the |
|
296 |
\f[CB]keytool\ \-certreq\f[R] command). |
|
297 |
The command reads the request either from \f[I]infile\f[R] or, if |
|
298 |
omitted, from the standard input, signs it by using the alias\[aq]s |
|
299 |
private key, and outputs the X.509 certificate into either |
|
300 |
\f[I]outfile\f[R] or, if omitted, to the standard output. |
|
301 |
When \f[CB]\-rfc\f[R] is specified, the output format is Base64\-encoded |
|
302 |
PEM; otherwise, a binary DER is created. |
|
303 |
.PP |
|
304 |
The \f[CB]\-sigalg\f[R] value specifies the algorithm that should be used |
|
305 |
to sign the certificate. |
|
306 |
The \f[I]startdate\f[R] argument is the start time and date that the |
|
307 |
certificate is valid. |
|
308 |
The \f[I]days\f[R] argument tells the number of days for which the |
|
309 |
certificate should be considered valid. |
|
310 |
.PP |
|
311 |
When \f[I]dname\f[R] is provided, it is used as the subject of the |
|
312 |
generated certificate. |
|
313 |
Otherwise, the one from the certificate request is used. |
|
314 |
.PP |
|
315 |
The \f[CB]\-ext\f[R] value shows what X.509 extensions will be embedded in |
|
316 |
the certificate. |
|
317 |
Read \f[B]Common Command Options\f[R] for the grammar of \f[CB]\-ext\f[R]. |
|
318 |
.PP |
|
319 |
The \f[CB]\-gencert\f[R] option enables you to create certificate chains. |
|
320 |
The following example creates a certificate, \f[CB]e1\f[R], that contains |
|
321 |
three certificates in its certificate chain. |
|
322 |
.PP |
|
323 |
The following commands creates four key pairs named \f[CB]ca\f[R], |
|
324 |
\f[CB]ca1\f[R], \f[CB]ca2\f[R], and \f[CB]e1\f[R]: |
|
325 |
.IP |
|
326 |
.nf |
|
327 |
\f[CB] |
|
328 |
keytool\ \-alias\ ca\ \-dname\ CN=CA\ \-genkeypair |
|
329 |
keytool\ \-alias\ ca1\ \-dname\ CN=CA\ \-genkeypair |
|
330 |
keytool\ \-alias\ ca2\ \-dname\ CN=CA\ \-genkeypair |
|
331 |
keytool\ \-alias\ e1\ \-dname\ CN=E1\ \-genkeypair |
|
332 |
\f[R] |
|
333 |
.fi |
|
334 |
.PP |
|
335 |
The following two commands create a chain of signed certificates; |
|
336 |
\f[CB]ca\f[R] signs \f[CB]ca1\f[R] and \f[CB]ca1\f[R] signs \f[CB]ca2\f[R], all |
|
337 |
of which are self\-issued: |
|
338 |
.IP |
|
339 |
.nf |
|
340 |
\f[CB] |
|
341 |
keytool\ \-alias\ ca1\ \-certreq\ | |
|
342 |
\ \ \ \ keytool\ \-alias\ ca\ \-gencert\ \-ext\ san=dns:ca1\ | |
|
343 |
\ \ \ \ keytool\ \-alias\ ca1\ \-importcert |
|
21743 | 344 |
|
55140 | 345 |
keytool\ \-alias\ ca2\ \-certreq\ | |
346 |
\ \ \ \ keytool\ \-alias\ ca1\ \-gencert\ \-ext\ san=dns:ca2\ | |
|
347 |
\ \ \ \ keytool\ \-alias\ ca2\ \-importcert |
|
348 |
\f[R] |
|
349 |
.fi |
|
350 |
.PP |
|
351 |
The following command creates the certificate \f[CB]e1\f[R] and stores it |
|
352 |
in the \f[CB]e1.cert\f[R] file, which is signed by \f[CB]ca2\f[R]. |
|
353 |
As a result, \f[CB]e1\f[R] should contain \f[CB]ca\f[R], \f[CB]ca1\f[R], and |
|
354 |
\f[CB]ca2\f[R] in its certificate chain: |
|
355 |
.RS |
|
356 |
.PP |
|
357 |
\f[CB]keytool\ \-alias\ e1\ \-certreq\ |\ keytool\ \-alias\ ca2\ \-gencert\ >\ e1.cert\f[R] |
|
358 |
.RE |
|
359 |
.RE |
|
360 |
.TP |
|
361 |
.B \f[CB]\-genkeypair\f[R] |
|
362 |
The following are the available options for the \f[CB]\-genkeypair\f[R] |
|
363 |
command: |
|
364 |
.RS |
|
365 |
.IP \[bu] 2 |
|
366 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
367 |
.IP \[bu] 2 |
|
368 |
{\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name |
|
369 |
.IP \[bu] 2 |
|
370 |
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size |
|
371 |
.IP \[bu] 2 |
|
372 |
{\f[CB]\-groupname\f[R] \f[I]name\f[R]}: Group name. |
|
373 |
For example, an Elliptic Curve name. |
|
374 |
.IP \[bu] 2 |
|
375 |
{\f[CB]\-sigalg\f[R] \f[I]alg\f[R]}: Signature algorithm name |
|
376 |
.IP \[bu] 2 |
|
377 |
[\f[CB]\-dname\f[R] \f[I]name\f[R]]: Distinguished name |
|
378 |
.IP \[bu] 2 |
|
379 |
{\f[CB]\-startdate\f[R] \f[I]date\f[R]}: Certificate validity start date |
|
380 |
and time |
|
381 |
.IP \[bu] 2 |
|
382 |
[\f[CB]\-ext\f[R] \f[I]value\f[R]}*: X.509 extension |
|
383 |
.IP \[bu] 2 |
|
384 |
{\f[CB]\-validity\f[R] \f[I]days\f[R]}: Validity number of days |
|
385 |
.IP \[bu] 2 |
|
386 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
387 |
.IP \[bu] 2 |
|
388 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
389 |
.IP \[bu] 2 |
|
390 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
391 |
.IP \[bu] 2 |
|
392 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
393 |
.IP \[bu] 2 |
|
394 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
395 |
.IP \[bu] 2 |
|
396 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
397 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
398 |
an optional configure argument. |
|
399 |
.IP \[bu] 2 |
|
400 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
401 |
\f[I]arg\f[R]] }: Add security provider by fully qualified class name |
|
402 |
with an optional configure argument. |
|
403 |
.IP \[bu] 2 |
|
404 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
405 |
.IP \[bu] 2 |
|
406 |
{\f[CB]\-v\f[R]}: Verbose output |
|
407 |
.IP \[bu] 2 |
|
408 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
409 |
.PP |
|
410 |
Use the \f[CB]\-genkeypair\f[R] command to generate a key pair (a public |
|
411 |
key and associated private key). |
|
412 |
Wraps the public key in an X.509 v3 self\-signed certificate, which is |
|
413 |
stored as a single\-element certificate chain. |
|
414 |
This certificate chain and the private key are stored in a new keystore |
|
415 |
entry that is identified by its alias. |
|
416 |
.PP |
|
417 |
The \f[CB]\-keyalg\f[R] value specifies the algorithm to be used to |
|
418 |
generate the key pair, and the \f[CB]\-keysize\f[R] value specifies the |
|
419 |
size of each key to be generated. |
|
420 |
The \f[CB]\-sigalg\f[R] value specifies the algorithm that should be used |
|
421 |
to sign the self\-signed certificate. |
|
422 |
This algorithm must be compatible with the \f[CB]\-keyalg\f[R] value. |
|
423 |
.PP |
|
424 |
The \f[CB]\-groupname\f[R] value specifies the named group (for example, |
|
425 |
the standard or predefined name of an Elliptic Curve) of the key to be |
|
426 |
generated. |
|
427 |
Only one of \f[CB]\-groupname\f[R] and \f[CB]\-keysize\f[R] can be |
|
428 |
specified. |
|
429 |
.PP |
|
430 |
The \f[CB]\-dname\f[R] value specifies the X.500 Distinguished Name to be |
|
431 |
associated with the value of \f[CB]\-alias\f[R], and is used as the issuer |
|
432 |
and subject fields in the self\-signed certificate. |
|
433 |
If a distinguished name is not provided at the command line, then the |
|
434 |
user is prompted for one. |
|
435 |
.PP |
|
436 |
The value of \f[CB]\-keypass\f[R] is a password used to protect the |
|
437 |
private key of the generated key pair. |
|
438 |
If a password is not provided, then the user is prompted for it. |
|
439 |
If you press the \f[B]Return\f[R] key at the prompt, then the key |
|
440 |
password is set to the same password as the keystore password. |
|
441 |
The \f[CB]\-keypass\f[R] value must have at least six characters. |
|
442 |
.PP |
|
443 |
The value of \f[CB]\-startdate\f[R] specifies the issue time of the |
|
444 |
certificate, also known as the "Not Before" value of the X.509 |
|
445 |
certificate\[aq]s Validity field. |
|
446 |
.PP |
|
447 |
The option value can be set in one of these two forms: |
|
448 |
.PP |
|
449 |
([\f[CB]+\-\f[R]]\f[I]nnn\f[R][\f[CB]ymdHMS\f[R]])+ |
|
450 |
.PP |
|
451 |
[\f[I]yyyy\f[R]\f[CB]/\f[R]\f[I]mm\f[R]\f[CB]/\f[R]\f[I]dd\f[R]] |
|
452 |
[\f[I]HH\f[R]\f[CB]:\f[R]\f[I]MM\f[R]\f[CB]:\f[R]\f[I]SS\f[R]] |
|
453 |
.PP |
|
454 |
With the first form, the issue time is shifted by the specified value |
|
455 |
from the current time. |
|
456 |
The value is a concatenation of a sequence of subvalues. |
|
457 |
Inside each subvalue, the plus sign (+) means shift forward, and the |
|
458 |
minus sign (\-) means shift backward. |
|
459 |
The time to be shifted is \f[I]nnn\f[R] units of years, months, days, |
|
460 |
hours, minutes, or seconds (denoted by a single character of \f[CB]y\f[R], |
|
461 |
\f[CB]m\f[R], \f[CB]d\f[R], \f[CB]H\f[R], \f[CB]M\f[R], or \f[CB]S\f[R] |
|
462 |
respectively). |
|
463 |
The exact value of the issue time is calculated by using the |
|
464 |
\f[CB]java.util.GregorianCalendar.add(int\ field,\ int\ amount)\f[R] |
|
465 |
method on each subvalue, from left to right. |
|
466 |
For example, the issue time can be specified by: |
|
467 |
.IP |
|
468 |
.nf |
|
469 |
\f[CB] |
|
470 |
Calendar\ c\ =\ new\ GregorianCalendar(); |
|
471 |
c.add(Calendar.YEAR,\ \-1); |
|
472 |
c.add(Calendar.MONTH,\ 1); |
|
473 |
c.add(Calendar.DATE,\ \-1); |
|
474 |
return\ c.getTime() |
|
475 |
\f[R] |
|
476 |
.fi |
|
21743 | 477 |
.PP |
55140 | 478 |
With the second form, the user sets the exact issue time in two parts, |
479 |
year/month/day and hour:minute:second (using the local time zone). |
|
480 |
The user can provide only one part, which means the other part is the |
|
481 |
same as the current date (or time). |
|
482 |
The user must provide the exact number of digits shown in the format |
|
483 |
definition (padding with 0 when shorter). |
|
484 |
When both date and time are provided, there is one (and only one) space |
|
485 |
character between the two parts. |
|
486 |
The hour should always be provided in 24\-hour format. |
|
487 |
.PP |
|
488 |
When the option isn\[aq]t provided, the start date is the current time. |
|
489 |
The option can only be provided one time. |
|
490 |
.PP |
|
491 |
The value of \f[I]date\f[R] specifies the number of days (starting at the |
|
492 |
date specified by \f[CB]\-startdate\f[R], or the current date when |
|
493 |
\f[CB]\-startdate\f[R] isn\[aq]t specified) for which the certificate |
|
494 |
should be considered valid. |
|
495 |
.RE |
|
496 |
.TP |
|
497 |
.B \f[CB]\-genseckey\f[R] |
|
498 |
The following are the available options for the \f[CB]\-genseckey\f[R] |
|
499 |
command: |
|
500 |
.RS |
|
501 |
.IP \[bu] 2 |
|
502 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
503 |
.IP \[bu] 2 |
|
504 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
505 |
.IP \[bu] 2 |
|
506 |
{\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name |
|
507 |
.IP \[bu] 2 |
|
508 |
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size |
|
509 |
.IP \[bu] 2 |
|
510 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
511 |
.IP \[bu] 2 |
|
512 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
513 |
.IP \[bu] 2 |
|
514 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
515 |
.IP \[bu] 2 |
|
516 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
517 |
.IP \[bu] 2 |
|
518 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
519 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
520 |
an optional configure argument. |
|
521 |
.IP \[bu] 2 |
|
522 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
523 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
524 |
an optional configure argument. |
|
525 |
.IP \[bu] 2 |
|
526 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
527 |
.IP \[bu] 2 |
|
528 |
{\f[CB]\-v\f[R]}: Verbose output |
|
529 |
.IP \[bu] 2 |
|
530 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
531 |
.PP |
|
532 |
Use the \f[CB]\-genseckey\f[R] command to generate a secret key and store |
|
533 |
it in a new \f[CB]KeyStore.SecretKeyEntry\f[R] identified by |
|
534 |
\f[CB]alias\f[R]. |
|
535 |
.PP |
|
536 |
The value of \f[CB]\-keyalg\f[R] specifies the algorithm to be used to |
|
537 |
generate the secret key, and the value of \f[CB]\-keysize\f[R] specifies |
|
538 |
the size of the key that is generated. |
|
539 |
The \f[CB]\-keypass\f[R] value is a password that protects the secret key. |
|
540 |
If a password is not provided, then the user is prompted for it. |
|
541 |
If you press the \f[B]Return\f[R] key at the prompt, then the key |
|
542 |
password is set to the same password that is used for the |
|
543 |
\f[CB]\-keystore\f[R]. |
|
544 |
The \f[CB]\-keypass\f[R] value must contain at least six characters. |
|
545 |
.RE |
|
546 |
.TP |
|
547 |
.B \f[CB]\-importcert\f[R] |
|
548 |
The following are the available options for the \f[CB]\-importcert\f[R] |
|
549 |
command: |
|
550 |
.RS |
|
551 |
.IP \[bu] 2 |
|
552 |
{\f[CB]\-noprompt\f[R]}: Do not prompt |
|
553 |
.IP \[bu] 2 |
|
554 |
{\f[CB]\-trustcacerts\f[R]}: Trust certificates from cacerts |
|
555 |
.IP \[bu] 2 |
|
556 |
{\f[CB]\-protected\f[R]}: Password is provided through protected mechanism |
|
557 |
.IP \[bu] 2 |
|
558 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
559 |
.IP \[bu] 2 |
|
560 |
{\f[CB]\-file\f[R] \f[I]file\f[R]}: Input file name |
|
561 |
.IP \[bu] 2 |
|
562 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
563 |
.IP \[bu] 2 |
|
564 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
565 |
.IP \[bu] 2 |
|
566 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
567 |
.IP \[bu] 2 |
|
568 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
569 |
.IP \[bu] 2 |
|
570 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
571 |
.IP \[bu] 2 |
|
572 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
573 |
.IP \[bu] 2 |
|
574 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
575 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
576 |
an optional configure argument. |
|
577 |
.IP \[bu] 2 |
|
578 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
579 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
580 |
an optional configure argument. |
|
581 |
.IP \[bu] 2 |
|
582 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
583 |
.IP \[bu] 2 |
|
584 |
{\f[CB]\-v\f[R]}: Verbose output |
|
585 |
.PP |
|
586 |
Use the \f[CB]\-importcert\f[R] command to read the certificate or |
|
587 |
certificate chain (where the latter is supplied in a PKCS#7 formatted |
|
588 |
reply or in a sequence of X.509 certificates) from \f[CB]\-file\f[R] |
|
589 |
\f[I]file\f[R], and store it in the \f[CB]keystore\f[R] entry identified by |
|
590 |
\f[CB]\-alias\f[R]. |
|
591 |
If \f[CB]\-file\f[R] \f[I]file\f[R] is not specified, then the certificate |
|
592 |
or certificate chain is read from \f[CB]stdin\f[R]. |
|
593 |
.PP |
|
594 |
The \f[CB]keytool\f[R] command can import X.509 v1, v2, and v3 |
|
595 |
certificates, and PKCS#7 formatted certificate chains consisting of |
|
596 |
certificates of that type. |
|
597 |
The data to be imported must be provided either in binary encoding |
|
598 |
format or in printable encoding format (also known as Base64 encoding) |
|
599 |
as defined by the Internet RFC 1421 standard. |
|
600 |
In the latter case, the encoding must be bounded at the beginning by a |
|
601 |
string that starts with \f[CB]\-\-\-\-\-BEGIN\f[R], and bounded at the end |
|
602 |
by a string that starts with \f[CB]\-\-\-\-\-END\f[R]. |
|
603 |
.PP |
|
604 |
You import a certificate for two reasons: To add it to the list of |
|
605 |
trusted certificates, and to import a certificate reply received from a |
|
606 |
certificate authority (CA) as the result of submitting a Certificate |
|
607 |
Signing Request (CSR) to that CA. |
|
608 |
See the \f[CB]\-certreq\f[R] command in \f[B]Commands for Generating a |
|
609 |
Certificate Request\f[R]. |
|
21743 | 610 |
.PP |
55140 | 611 |
The type of import is indicated by the value of the \f[CB]\-alias\f[R] |
612 |
option. |
|
613 |
If the alias doesn\[aq]t point to a key entry, then the \f[CB]keytool\f[R] |
|
614 |
command assumes you are adding a trusted certificate entry. |
|
615 |
In this case, the alias shouldn\[aq]t already exist in the keystore. |
|
616 |
If the alias does exist, then the \f[CB]keytool\f[R] command outputs an |
|
617 |
error because a trusted certificate already exists for that alias, and |
|
618 |
doesn\[aq]t import the certificate. |
|
619 |
If \f[CB]\-alias\f[R] points to a key entry, then the \f[CB]keytool\f[R] |
|
620 |
command assumes that you\[aq]re importing a certificate reply. |
|
621 |
.RE |
|
622 |
.TP |
|
623 |
.B \f[CB]\-importpass\f[R] |
|
624 |
The following are the available options for the \f[CB]\-importpass\f[R] |
|
625 |
command: |
|
626 |
.RS |
|
627 |
.IP \[bu] 2 |
|
628 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
629 |
.IP \[bu] 2 |
|
630 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
631 |
.IP \[bu] 2 |
|
632 |
{\f[CB]\-keyalg\f[R] \f[I]alg\f[R]}: Key algorithm name |
|
633 |
.IP \[bu] 2 |
|
634 |
{\f[CB]\-keysize\f[R] \f[I]size\f[R]}: Key bit size |
|
635 |
.IP \[bu] 2 |
|
636 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
637 |
.IP \[bu] 2 |
|
638 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
639 |
.IP \[bu] 2 |
|
640 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
641 |
.IP \[bu] 2 |
|
642 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
643 |
.IP \[bu] 2 |
|
644 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
645 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
646 |
an optional configure argument. |
|
647 |
.IP \[bu] 2 |
|
648 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
649 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
650 |
an optional configure argument. |
|
651 |
.IP \[bu] 2 |
|
652 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
653 |
.IP \[bu] 2 |
|
654 |
{\f[CB]\-v\f[R]}: Verbose output |
|
655 |
.IP \[bu] 2 |
|
656 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
657 |
.PP |
|
658 |
Use the \f[CB]\-importpass\f[R] command to imports a passphrase and store |
|
659 |
it in a new \f[CB]KeyStore.SecretKeyEntry\f[R] identified by |
|
660 |
\f[CB]\-alias\f[R]. |
|
661 |
The passphrase may be supplied via the standard input stream; otherwise |
|
662 |
the user is prompted for it. |
|
663 |
The \f[CB]\-keypass\f[R] option provides a password to protect the |
|
664 |
imported passphrase. |
|
665 |
If a password is not provided, then the user is prompted for it. |
|
666 |
If you press the \f[B]Return\f[R] key at the prompt, then the key |
|
667 |
password is set to the same password as that used for the |
|
668 |
\f[CB]keystore\f[R]. |
|
669 |
The \f[CB]\-keypass\f[R] value must contain at least six characters. |
|
670 |
.RE |
|
671 |
.SH COMMANDS FOR IMPORTING CONTENTS FROM ANOTHER KEYSTORE |
|
672 |
.TP |
|
673 |
.B \f[CB]\-importkeystore\f[R] |
|
674 |
The following are the available options for the |
|
675 |
\f[CB]\-importkeystore\f[R] command: |
|
676 |
.RS |
|
677 |
.IP \[bu] 2 |
|
678 |
{\f[CB]\-srckeystore\f[R] \f[I]keystore\f[R]}: Source keystore name |
|
679 |
.IP \[bu] 2 |
|
680 |
{\f[CB]\-destkeystore\f[R] \f[I]keystore\f[R]}: Destination keystore name |
|
681 |
.IP \[bu] 2 |
|
682 |
{\f[CB]\-srcstoretype\f[R] \f[I]type\f[R]}: Source keystore type |
|
683 |
.IP \[bu] 2 |
|
684 |
{\f[CB]\-deststoretype\f[R] \f[I]type\f[R]}: Destination keystore type |
|
685 |
.IP \[bu] 2 |
|
686 |
[\f[CB]\-srcstorepass\f[R] \f[I]arg\f[R]]: Source keystore password |
|
687 |
.IP \[bu] 2 |
|
688 |
[\f[CB]\-deststorepass\f[R] \f[I]arg\f[R]]: Destination keystore password |
|
689 |
.IP \[bu] 2 |
|
690 |
{\f[CB]\-srcprotected\f[R]}: Source keystore password protected |
|
691 |
.IP \[bu] 2 |
|
692 |
{\f[CB]\-destprotected\f[R]}: Destination keystore password protected |
|
693 |
.IP \[bu] 2 |
|
694 |
{\f[CB]\-srcprovidername\f[R] \f[I]name\f[R]}: Source keystore provider |
|
695 |
name |
|
696 |
.IP \[bu] 2 |
|
697 |
{\f[CB]\-destprovidername\f[R] \f[I]name\f[R]}: Destination keystore |
|
698 |
provider name |
|
699 |
.IP \[bu] 2 |
|
700 |
{\f[CB]\-srcalias\f[R] \f[I]alias\f[R]}: Source alias |
|
701 |
.IP \[bu] 2 |
|
702 |
{\f[CB]\-destalias\f[R] \f[I]alias\f[R]}: Destination alias |
|
703 |
.IP \[bu] 2 |
|
704 |
[\f[CB]\-srckeypass\f[R] \f[I]arg\f[R]]: Source key password |
|
705 |
.IP \[bu] 2 |
|
706 |
[\f[CB]\-destkeypass\f[R] \f[I]arg\f[R]]: Destination key password |
|
707 |
.IP \[bu] 2 |
|
708 |
{\f[CB]\-noprompt\f[R]}: Do not prompt |
|
709 |
.IP \[bu] 2 |
|
710 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
711 |
\f[I]arg\f[R]]: Add security provider by name (such as SunPKCS11) with an |
|
712 |
optional configure argument. |
|
713 |
.IP \[bu] 2 |
|
714 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
715 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
716 |
an optional configure argument |
|
717 |
.IP \[bu] 2 |
|
718 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
719 |
.IP \[bu] 2 |
|
720 |
{\f[CB]\-v\f[R]}: Verbose output |
|
721 |
.PP |
|
722 |
\f[B]Note:\f[R] |
|
723 |
.PP |
|
724 |
This is the first line of all options: |
|
725 |
.RS |
|
726 |
.PP |
|
727 |
\f[CB]\-srckeystore\f[R] \f[I]keystore\f[R] \f[CB]\-destkeystore\f[R] |
|
728 |
\f[I]keystore\f[R] |
|
729 |
.RE |
|
730 |
.PP |
|
731 |
Use the \f[CB]\-importkeystore\f[R] command to import a single entry or |
|
732 |
all entries from a source keystore to a destination keystore. |
|
733 |
.PP |
|
734 |
\f[B]Note:\f[R] |
|
735 |
.PP |
|
736 |
If you do not specify \f[CB]\-destkeystore\f[R] when using the |
|
737 |
\f[CB]keytool\ \-importkeystore\f[R] command, then the default keystore |
|
738 |
used is \f[CB]$HOME/.keystore\f[R]. |
|
739 |
.PP |
|
740 |
When the \f[CB]\-srcalias\f[R] option is provided, the command imports the |
|
741 |
single entry identified by the alias to the destination keystore. |
|
742 |
If a destination alias isn\[aq]t provided with \f[CB]\-destalias\f[R], |
|
743 |
then \f[CB]\-srcalias\f[R] is used as the destination alias. |
|
744 |
If the source entry is protected by a password, then |
|
745 |
\f[CB]\-srckeypass\f[R] is used to recover the entry. |
|
746 |
If \f[CB]\-srckeypass\f[R] isn\[aq]t provided, then the \f[CB]keytool\f[R] |
|
747 |
command attempts to use \f[CB]\-srcstorepass\f[R] to recover the entry. |
|
748 |
If \f[CB]\-srcstorepass\f[R] is not provided or is incorrect, then the |
|
749 |
user is prompted for a password. |
|
750 |
The destination entry is protected with \f[CB]\-destkeypass\f[R]. |
|
751 |
If \f[CB]\-destkeypass\f[R] isn\[aq]t provided, then the destination entry |
|
752 |
is protected with the source entry password. |
|
753 |
For example, most third\-party tools require \f[CB]storepass\f[R] and |
|
754 |
\f[CB]keypass\f[R] in a PKCS #12 keystore to be the same. |
|
755 |
To create a PKCS#12 keystore for these tools, always specify a |
|
756 |
\f[CB]\-destkeypass\f[R] that is the same as \f[CB]\-deststorepass\f[R]. |
|
757 |
.PP |
|
758 |
If the \f[CB]\-srcalias\f[R] option isn\[aq]t provided, then all entries |
|
759 |
in the source keystore are imported into the destination keystore. |
|
760 |
Each destination entry is stored under the alias from the source entry. |
|
761 |
If the source entry is protected by a password, then |
|
762 |
\f[CB]\-srcstorepass\f[R] is used to recover the entry. |
|
763 |
If \f[CB]\-srcstorepass\f[R] is not provided or is incorrect, then the |
|
764 |
user is prompted for a password. |
|
765 |
If a source keystore entry type isn\[aq]t supported in the destination |
|
766 |
keystore, or if an error occurs while storing an entry into the |
|
767 |
destination keystore, then the user is prompted either to skip the entry |
|
768 |
and continue or to quit. |
|
769 |
The destination entry is protected with the source entry password. |
|
770 |
.PP |
|
771 |
If the destination alias already exists in the destination keystore, |
|
772 |
then the user is prompted either to overwrite the entry or to create a |
|
773 |
new entry under a different alias name. |
|
774 |
.PP |
|
775 |
If the \f[CB]\-noprompt\f[R] option is provided, then the user isn\[aq]t |
|
776 |
prompted for a new destination alias. |
|
777 |
Existing entries are overwritten with the destination alias name. |
|
778 |
Entries that can\[aq]t be imported are skipped and a warning is |
|
779 |
displayed. |
|
780 |
.RE |
|
781 |
.SH COMMANDS FOR GENERATING A CERTIFICATE REQUEST |
|
782 |
.TP |
|
783 |
.B \f[CB]\-certreq\f[R] |
|
784 |
The following are the available options for the \f[CB]\-certreq\f[R] |
|
785 |
command: |
|
786 |
.RS |
|
787 |
.IP \[bu] 2 |
|
788 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
789 |
.IP \[bu] 2 |
|
790 |
{\f[CB]\-sigalg\f[R] \f[I]alg\f[R]}: Signature algorithm name |
|
791 |
.IP \[bu] 2 |
|
792 |
{\f[CB]\-file\f[R] \f[I]file\f[R]}: Output file name |
|
793 |
.IP \[bu] 2 |
|
794 |
[ \f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
795 |
.IP \[bu] 2 |
|
796 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
797 |
.IP \[bu] 2 |
|
798 |
{\f[CB]\-dname\f[R] \f[I]name\f[R]}: Distinguished name |
|
799 |
.IP \[bu] 2 |
|
800 |
{\f[CB]\-ext\f[R] \f[I]value\f[R]}: X.509 extension |
|
801 |
.IP \[bu] 2 |
|
802 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
803 |
.IP \[bu] 2 |
|
804 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
805 |
.IP \[bu] 2 |
|
806 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
807 |
.IP \[bu] 2 |
|
808 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
809 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
810 |
an optional configure argument. |
|
811 |
.IP \[bu] 2 |
|
812 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
813 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
814 |
an optional configure argument. |
|
815 |
.IP \[bu] 2 |
|
816 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
817 |
.IP \[bu] 2 |
|
818 |
{\f[CB]\-v\f[R]}: Verbose output |
|
819 |
.IP \[bu] 2 |
|
820 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
821 |
.PP |
|
822 |
Use the \f[CB]\-certreq\f[R] command to generate a Certificate Signing |
|
823 |
Request (CSR) using the PKCS #10 format. |
|
824 |
.PP |
|
825 |
A CSR is intended to be sent to a CA. |
|
826 |
The CA authenticates the certificate requestor (usually offline) and |
|
827 |
returns a certificate or certificate chain to replace the existing |
|
828 |
certificate chain (initially a self\-signed certificate) in the |
|
829 |
keystore. |
|
830 |
.PP |
|
831 |
The private key associated with \f[I]alias\f[R] is used to create the |
|
832 |
PKCS #10 certificate request. |
|
833 |
To access the private key, the correct password must be provided. |
|
834 |
If \f[CB]\-keypass\f[R] isn\[aq]t provided at the command line and is |
|
835 |
different from the password used to protect the integrity of the |
|
836 |
keystore, then the user is prompted for it. |
|
837 |
If \f[CB]\-dname\f[R] is provided, then it is used as the subject in the |
|
838 |
CSR. |
|
839 |
Otherwise, the X.500 Distinguished Name associated with alias is used. |
|
840 |
.PP |
|
841 |
The \f[CB]\-sigalg\f[R] value specifies the algorithm that should be used |
|
842 |
to sign the CSR. |
|
843 |
.PP |
|
844 |
The CSR is stored in the \f[CB]\-file\f[R] \f[I]file\f[R]. |
|
845 |
If a file is not specified, then the CSR is output to \f[CB]\-stdout\f[R]. |
|
846 |
.PP |
|
847 |
Use the \f[CB]\-importcert\f[R] command to import the response from the |
|
848 |
CA. |
|
849 |
.RE |
|
850 |
.SH COMMANDS FOR EXPORTING DATA |
|
851 |
.TP |
|
852 |
.B \f[CB]\-exportcert\f[R] |
|
853 |
The following are the available options for the \f[CB]\-exportcert\f[R] |
|
854 |
command: |
|
855 |
.RS |
|
856 |
.IP \[bu] 2 |
|
857 |
{\f[CB]\-rfc\f[R]}: Output in RFC style |
|
858 |
.IP \[bu] 2 |
|
859 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
860 |
.IP \[bu] 2 |
|
861 |
{\f[CB]\-file\f[R] \f[I]file\f[R]}: Output file name |
|
862 |
.IP \[bu] 2 |
|
863 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
864 |
.IP \[bu] 2 |
|
865 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
866 |
.IP \[bu] 2 |
|
867 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
868 |
.IP \[bu] 2 |
|
869 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
870 |
.IP \[bu] 2 |
|
871 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
872 |
.IP \[bu] 2 |
|
873 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
874 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
875 |
an optional configure argument. |
|
876 |
.IP \[bu] 2 |
|
877 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
878 |
\f[I]arg\f[R]] }: Add security provider by fully qualified class name |
|
879 |
with an optional configure argument. |
|
880 |
.IP \[bu] 2 |
|
881 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
882 |
.IP \[bu] 2 |
|
883 |
{\f[CB]\-v\f[R]}: Verbose output |
|
884 |
.IP \[bu] 2 |
|
885 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
886 |
.PP |
|
887 |
Use the \f[CB]\-exportcert\f[R] command to read a certificate from the |
|
888 |
keystore that is associated with \f[CB]\-alias\f[R] \f[I]alias\f[R] and |
|
889 |
store it in the \f[CB]\-file\f[R] \f[I]file\f[R]. |
|
890 |
When a file is not specified, the certificate is output to |
|
891 |
\f[CB]stdout\f[R]. |
|
892 |
.PP |
|
893 |
By default, the certificate is output in binary encoding. |
|
894 |
If the \f[CB]\-rfc\f[R] option is specified, then the output in the |
|
895 |
printable encoding format defined by the Internet RFC 1421 Certificate |
|
896 |
Encoding Standard. |
|
21743 | 897 |
.PP |
55140 | 898 |
If \f[CB]\-alias\f[R] refers to a trusted certificate, then that |
899 |
certificate is output. |
|
900 |
Otherwise, \f[CB]\-alias\f[R] refers to a key entry with an associated |
|
901 |
certificate chain. |
|
902 |
In that case, the first certificate in the chain is returned. |
|
903 |
This certificate authenticates the public key of the entity addressed by |
|
904 |
\f[CB]\-alias\f[R]. |
|
905 |
.RE |
|
906 |
.SH COMMANDS FOR DISPLAYING DATA |
|
907 |
.TP |
|
908 |
.B \f[CB]\-list\f[R] |
|
909 |
The following are the available options for the \f[CB]\-list\f[R] command: |
|
910 |
.RS |
|
911 |
.IP \[bu] 2 |
|
912 |
{\f[CB]\-rfc\f[R]}: Output in RFC style |
|
913 |
.IP \[bu] 2 |
|
914 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
915 |
.IP \[bu] 2 |
|
916 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
917 |
.IP \[bu] 2 |
|
918 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
919 |
.IP \[bu] 2 |
|
920 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
921 |
.IP \[bu] 2 |
|
922 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
923 |
.IP \[bu] 2 |
|
924 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
925 |
.IP \[bu] 2 |
|
926 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
927 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
928 |
an optional configure argument. |
|
929 |
.IP \[bu] 2 |
|
930 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
931 |
\f[I]arg\f[R]] }: Add security provider by fully qualified class name |
|
932 |
with an optional configure argument. |
|
933 |
.IP \[bu] 2 |
|
934 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
935 |
.IP \[bu] 2 |
|
936 |
{\f[CB]\-v\f[R]}: Verbose output |
|
937 |
.IP \[bu] 2 |
|
938 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
939 |
.PP |
|
940 |
Use the \f[CB]\-list\f[R] command to print the contents of the keystore |
|
941 |
entry identified by \f[CB]\-alias\f[R] to \f[CB]stdout\f[R]. |
|
942 |
If \f[CB]\-alias\f[R] \f[I]alias\f[R] is not specified, then the contents |
|
943 |
of the entire keystore are printed. |
|
944 |
.PP |
|
945 |
By default, this command prints the SHA\-256 fingerprint of a |
|
946 |
certificate. |
|
947 |
If the \f[CB]\-v\f[R] option is specified, then the certificate is printed |
|
948 |
in human\-readable format, with additional information such as the |
|
949 |
owner, issuer, serial number, and any extensions. |
|
950 |
If the \f[CB]\-rfc\f[R] option is specified, then the certificate contents |
|
951 |
are printed by using the printable encoding format, as defined by the |
|
952 |
Internet RFC 1421 Certificate Encoding Standard. |
|
953 |
.PP |
|
954 |
\f[B]Note:\f[R] |
|
955 |
.PP |
|
956 |
You can\[aq]t specify both \f[CB]\-v\f[R] and \f[CB]\-rfc\f[R] in the same |
|
957 |
command. |
|
958 |
Otherwise, an error is reported. |
|
959 |
.RE |
|
960 |
.TP |
|
961 |
.B \f[CB]\-printcert\f[R] |
|
962 |
The following are the available options for the \f[CB]\-printcert\f[R] |
|
963 |
command: |
|
964 |
.RS |
|
965 |
.IP \[bu] 2 |
|
966 |
{\f[CB]\-rfc\f[R]}: Output in RFC style |
|
967 |
.IP \[bu] 2 |
|
968 |
{\f[CB]\-file\f[R] \f[I]cert_file\f[R]}: Input file name |
|
969 |
.IP \[bu] 2 |
|
970 |
{\f[CB]\-sslserver\f[R] \f[I]server\f[R][\f[CB]:\f[R]\f[I]port\f[R]]}:: Secure |
|
971 |
Sockets Layer (SSL) server host and port |
|
972 |
.IP \[bu] 2 |
|
973 |
{\f[CB]\-jarfile\f[R] \f[I]JAR_file\f[R]}: Signed \f[CB]\&.jar\f[R] file |
|
974 |
.IP \[bu] 2 |
|
975 |
{\f[CB]\-v\f[R]}: Verbose output |
|
976 |
.PP |
|
977 |
Use the \f[CB]\-printcert\f[R] command to read and print the certificate |
|
978 |
from \f[CB]\-file\f[R] \f[I]cert_file\f[R], the SSL server located at |
|
979 |
\f[CB]\-sslserver\f[R] \f[I]server\f[R][\f[CB]:\f[R]\f[I]port\f[R]], or the |
|
980 |
signed JAR file specified by \f[CB]\-jarfile\f[R] \f[I]JAR_file\f[R]. |
|
981 |
It prints its contents in a human\-readable format. |
|
982 |
When a port is not specified, the standard HTTPS port 443 is assumed. |
|
983 |
.PP |
|
984 |
\f[B]Note:\f[R] |
|
985 |
.PP |
|
986 |
The \f[CB]\-sslserver\f[R] and \f[CB]\-file\f[R] options can\[aq]t be |
|
987 |
provided in the same command. |
|
988 |
Otherwise, an error is reported. |
|
989 |
If you don\[aq]t specify either option, then the certificate is read |
|
990 |
from \f[CB]stdin\f[R]. |
|
991 |
.PP |
|
992 |
When\f[CB]\-rfc\f[R] is specified, the \f[CB]keytool\f[R] command prints the |
|
993 |
certificate in PEM mode as defined by the Internet RFC 1421 Certificate |
|
994 |
Encoding standard. |
|
995 |
.PP |
|
996 |
If the certificate is read from a file or \f[CB]stdin\f[R], then it might |
|
997 |
be either binary encoded or in printable encoding format, as defined by |
|
998 |
the RFC 1421 Certificate Encoding standard. |
|
999 |
.PP |
|
1000 |
If the SSL server is behind a firewall, then the |
|
1001 |
\f[CB]\-J\-Dhttps.proxyHost=proxyhost\f[R] and |
|
1002 |
\f[CB]\-J\-Dhttps.proxyPort=proxyport\f[R] options can be specified on the |
|
1003 |
command line for proxy tunneling. |
|
1004 |
.PP |
|
1005 |
\f[B]Note:\f[R] |
|
1006 |
.PP |
|
1007 |
This option can be used independently of a keystore. |
|
1008 |
.RE |
|
1009 |
.TP |
|
1010 |
.B \f[CB]\-printcertreq\f[R] |
|
1011 |
The following are the available options for the \f[CB]\-printcertreq\f[R] |
|
1012 |
command: |
|
1013 |
.RS |
|
1014 |
.IP \[bu] 2 |
|
1015 |
{\f[CB]\-file\f[R] \f[I]file\f[R]}: Input file name |
|
1016 |
.IP \[bu] 2 |
|
1017 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1018 |
.PP |
|
1019 |
Use the \f[CB]\-printcertreq\f[R] command to print the contents of a PKCS |
|
1020 |
#10 format certificate request, which can be generated by the |
|
1021 |
\f[CB]keytool\ \-certreq\f[R] command. |
|
1022 |
The command reads the request from file. |
|
1023 |
If there is no file, then the request is read from the standard input. |
|
1024 |
.RE |
|
1025 |
.TP |
|
1026 |
.B \f[CB]\-printcrl\f[R] |
|
1027 |
The following are the available options for the \f[CB]\-printcrl\f[R] |
|
1028 |
command: |
|
1029 |
.RS |
|
1030 |
.IP \[bu] 2 |
|
1031 |
\f[CB]\-file\ crl\f[R]: Input file name |
|
1032 |
.IP \[bu] 2 |
|
1033 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1034 |
.PP |
|
1035 |
Use the \f[CB]\-printcrl\f[R] command to read the Certificate Revocation |
|
1036 |
List (CRL) from \f[CB]\-file\ crl\f[R] . |
|
1037 |
A CRL is a list of the digital certificates that were revoked by the CA |
|
1038 |
that issued them. |
|
1039 |
The CA generates the \f[CB]crl\f[R] file. |
|
1040 |
.PP |
|
1041 |
\f[B]Note:\f[R] |
|
1042 |
.PP |
|
1043 |
This option can be used independently of a keystore. |
|
1044 |
.RE |
|
1045 |
.SH COMMANDS FOR MANAGING THE KEYSTORE |
|
1046 |
.TP |
|
1047 |
.B \f[CB]\-storepasswd\f[R] |
|
1048 |
The following are the available options for the \f[CB]\-storepasswd\f[R] |
|
1049 |
command: |
|
1050 |
.RS |
|
1051 |
.IP \[bu] 2 |
|
1052 |
[\f[CB]\-new\f[R] \f[I]arg\f[R]]: New password |
|
1053 |
.IP \[bu] 2 |
|
1054 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
1055 |
.IP \[bu] 2 |
|
1056 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
1057 |
.IP \[bu] 2 |
|
1058 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
1059 |
.IP \[bu] 2 |
|
1060 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
1061 |
.IP \[bu] 2 |
|
1062 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
1063 |
.IP \[bu] 2 |
|
1064 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
1065 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
1066 |
an optional configure argument. |
|
1067 |
.IP \[bu] 2 |
|
1068 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
1069 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
1070 |
an optional configure argument. |
|
1071 |
.IP \[bu] 2 |
|
1072 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
1073 |
.IP \[bu] 2 |
|
1074 |
{\f[CB]\-v\f[R]}: Verbose output |
|
21743 | 1075 |
.PP |
55140 | 1076 |
Use the \f[CB]\-storepasswd\f[R] command to change the password used to |
1077 |
protect the integrity of the keystore contents. |
|
1078 |
The new password is set by \f[CB]\-new\f[R] \f[I]arg\f[R] and must contain |
|
1079 |
at least six characters. |
|
1080 |
.RE |
|
1081 |
.TP |
|
1082 |
.B \f[CB]\-keypasswd\f[R] |
|
1083 |
The following are the available options for the \f[CB]\-keypasswd\f[R] |
|
1084 |
command: |
|
1085 |
.RS |
|
1086 |
.IP \[bu] 2 |
|
1087 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
1088 |
.IP \[bu] 2 |
|
1089 |
[\f[CB]\-keypass\f[R] \f[I]old_keypass\f[R]]: Key password |
|
1090 |
.IP \[bu] 2 |
|
1091 |
[\f[CB]\-new\f[R] \f[I]new_keypass\f[R]]: New password |
|
1092 |
.IP \[bu] 2 |
|
1093 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
1094 |
.IP \[bu] 2 |
|
1095 |
{\f[CB]\-storepass\f[R] \f[I]arg\f[R]}: Keystore password |
|
1096 |
.IP \[bu] 2 |
|
1097 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
1098 |
.IP \[bu] 2 |
|
1099 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
1100 |
.IP \[bu] 2 |
|
1101 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
1102 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
1103 |
an optional configure argument. |
|
1104 |
.IP \[bu] 2 |
|
1105 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
1106 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
1107 |
an optional configure argument. |
|
1108 |
.IP \[bu] 2 |
|
1109 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
1110 |
.IP \[bu] 2 |
|
1111 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1112 |
.PP |
|
1113 |
Use the \f[CB]\-keypasswd\f[R] command to change the password (under which |
|
1114 |
private/secret keys identified by \f[CB]\-alias\f[R] are protected) from |
|
1115 |
\f[CB]\-keypass\f[R] \f[I]old_keypass\f[R] to \f[CB]\-new\f[R] |
|
1116 |
\f[I]new_keypass\f[R]. |
|
1117 |
The password value must contain at least six characters. |
|
1118 |
.PP |
|
1119 |
If the \f[CB]\-keypass\f[R] option isn\[aq]t provided at the command line |
|
1120 |
and the \f[CB]\-keypass\f[R] password is different from the keystore |
|
1121 |
password (\f[CB]\-storepass\f[R] \f[I]arg\f[R]), then the user is prompted |
|
1122 |
for it. |
|
1123 |
.PP |
|
1124 |
If the \f[CB]\-new\f[R] option isn\[aq]t provided at the command line, |
|
1125 |
then the user is prompted for it. |
|
1126 |
.RE |
|
1127 |
.TP |
|
1128 |
.B \f[CB]\-delete\f[R] |
|
1129 |
The following are the available options for the \f[CB]\-delete\f[R] |
|
1130 |
command: |
|
1131 |
.RS |
|
1132 |
.IP \[bu] 2 |
|
1133 |
[\f[CB]\-alias\f[R] \f[I]alias\f[R]]: Alias name of the entry to process |
|
1134 |
.IP \[bu] 2 |
|
1135 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
1136 |
.IP \[bu] 2 |
|
1137 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
1138 |
.IP \[bu] 2 |
|
1139 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
1140 |
.IP \[bu] 2 |
|
1141 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
1142 |
.IP \[bu] 2 |
|
1143 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
1144 |
.IP \[bu] 2 |
|
1145 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
1146 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
1147 |
an optional configure argument. |
|
1148 |
.IP \[bu] 2 |
|
1149 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
1150 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
1151 |
an optional configure argument. |
|
1152 |
.IP \[bu] 2 |
|
1153 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
1154 |
.IP \[bu] 2 |
|
1155 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1156 |
.IP \[bu] 2 |
|
1157 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
21743 | 1158 |
.PP |
55140 | 1159 |
Use the \f[CB]\-delete\f[R] command to delete the \f[CB]\-alias\f[R] |
1160 |
\f[I]alias\f[R] entry from the keystore. |
|
1161 |
When not provided at the command line, the user is prompted for the |
|
1162 |
\f[CB]alias\f[R]. |
|
1163 |
.RE |
|
1164 |
.TP |
|
1165 |
.B \f[CB]\-changealias\f[R] |
|
1166 |
The following are the available options for the \f[CB]\-changealias\f[R] |
|
1167 |
command: |
|
1168 |
.RS |
|
1169 |
.IP \[bu] 2 |
|
1170 |
{\f[CB]\-alias\f[R] \f[I]alias\f[R]}: Alias name of the entry to process |
|
1171 |
.IP \[bu] 2 |
|
1172 |
[\f[CB]\-destalias\f[R] \f[I]alias\f[R]]: Destination alias |
|
1173 |
.IP \[bu] 2 |
|
1174 |
[\f[CB]\-keypass\f[R] \f[I]arg\f[R]]: Key password |
|
1175 |
.IP \[bu] 2 |
|
1176 |
{\f[CB]\-keystore\f[R] \f[I]keystore\f[R]}: Keystore name |
|
1177 |
.IP \[bu] 2 |
|
1178 |
{\f[CB]\-cacerts\f[R]}: Access the cacerts keystore |
|
1179 |
.IP \[bu] 2 |
|
1180 |
[\f[CB]\-storepass\f[R] \f[I]arg\f[R]]: Keystore password |
|
1181 |
.IP \[bu] 2 |
|
1182 |
{\f[CB]\-storetype\f[R] \f[I]type\f[R]}: Keystore type |
|
1183 |
.IP \[bu] 2 |
|
1184 |
{\f[CB]\-providername\f[R] \f[I]name\f[R]}: Provider name |
|
1185 |
.IP \[bu] 2 |
|
1186 |
{\f[CB]\-addprovider\f[R] \f[I]name\f[R] [\f[CB]\-providerarg\f[R] |
|
1187 |
\f[I]arg\f[R]]}: Add security provider by name (such as SunPKCS11) with |
|
1188 |
an optional configure argument. |
|
1189 |
.IP \[bu] 2 |
|
1190 |
{\f[CB]\-providerclass\f[R] \f[I]class\f[R] [\f[CB]\-providerarg\f[R] |
|
1191 |
\f[I]arg\f[R]]}: Add security provider by fully qualified class name with |
|
1192 |
an optional configure argument. |
|
1193 |
.IP \[bu] 2 |
|
1194 |
{\f[CB]\-providerpath\f[R] \f[I]list\f[R]}: Provider classpath |
|
1195 |
.IP \[bu] 2 |
|
1196 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1197 |
.IP \[bu] 2 |
|
1198 |
{\f[CB]\-protected\f[R]}: Password provided through a protected mechanism |
|
1199 |
.PP |
|
1200 |
Use the \f[CB]\-changealias\f[R] command to move an existing keystore |
|
1201 |
entry from \f[CB]\-alias\f[R] \f[I]alias\f[R] to a new \f[CB]\-destalias\f[R] |
|
1202 |
\f[I]alias\f[R]. |
|
1203 |
If a destination alias is not provided, then the command prompts you for |
|
1204 |
one. |
|
1205 |
If the original entry is protected with an entry password, then the |
|
1206 |
password can be supplied with the \f[CB]\-keypass\f[R] option. |
|
1207 |
If a key password is not provided, then the \f[CB]\-storepass\f[R] (if |
|
1208 |
provided) is attempted first. |
|
1209 |
If the attempt fails, then the user is prompted for a password. |
|
1210 |
.RE |
|
1211 |
.SH COMMANDS FOR DISPLAYING SECURITY\-RELATED INFORMATION |
|
1212 |
.TP |
|
1213 |
.B \f[CB]\-showinfo\f[R] |
|
1214 |
The following are the available options for the \f[CB]\-showinfo\f[R] |
|
1215 |
command: |
|
1216 |
.RS |
|
1217 |
.IP \[bu] 2 |
|
1218 |
{\f[CB]\-tls\f[R]}: Displays TLS configuration information |
|
1219 |
.IP \[bu] 2 |
|
1220 |
{\f[CB]\-v\f[R]}: Verbose output |
|
1221 |
.PP |
|
1222 |
Use the \f[CB]\-showinfo\f[R] command to display various security\-related |
|
1223 |
information. |
|
1224 |
The \f[CB]\-tls\f[R] option displays TLS configurations, such as the list |
|
1225 |
of enabled protocols and cipher suites. |
|
1226 |
.RE |
|
1227 |
.SH COMMANDS FOR DISPLAYING HELP INFORMATION |
|
1228 |
.PP |
|
1229 |
You can use \f[CB]\-\-help\f[R] to display a list of \f[CB]keytool\f[R] |
|
1230 |
commands or to display help information about a specific |
|
1231 |
\f[CB]keytool\f[R] command. |
|
1232 |
.IP \[bu] 2 |
|
1233 |
To display a list of \f[CB]keytool\f[R] commands, enter: |
|
1234 |
.RS 2 |
|
1235 |
.RS |
|
1236 |
.PP |
|
1237 |
\f[CB]keytool\ \-\-help\f[R] |
|
1238 |
.RE |
|
1239 |
.RE |
|
1240 |
.IP \[bu] 2 |
|
1241 |
To display help information about a specific \f[CB]keytool\f[R] command, |
|
1242 |
enter: |
|
1243 |
.RS 2 |
|
1244 |
.RS |
|
1245 |
.PP |
|
1246 |
\f[CB]keytool\ \-<command>\ \-\-help\f[R] |
|
1247 |
.RE |
|
1248 |
.RE |
|
1249 |
.SH COMMON COMMAND OPTIONS |
|
1250 |
.PP |
|
1251 |
The \f[CB]\-v\f[R] option can appear for all commands except |
|
1252 |
\f[CB]\-\-help\f[R]. |
|
1253 |
When the \f[CB]\-v\f[R] option appears, it signifies verbose mode, which |
|
1254 |
means that more information is provided in the output. |
|
1255 |
.PP |
|
1256 |
The \f[CB]\-J\f[R]\f[I]option\f[R] argument can appear for any command. |
|
1257 |
When the \f[CB]\-J\f[R]\f[I]option\f[R] is used, the specified |
|
1258 |
\f[I]option\f[R] string is passed directly to the Java interpreter. |
|
1259 |
This option doesn\[aq]t contain any spaces. |
|
1260 |
It\[aq]s useful for adjusting the execution environment or memory usage. |
|
1261 |
For a list of possible interpreter options, enter \f[CB]java\ \-h\f[R] or |
|
1262 |
\f[CB]java\ \-X\f[R] at the command line. |
|
21743 | 1263 |
.PP |
1264 |
These options can appear for all commands operating on a keystore: |
|
1265 |
.TP |
|
55140 | 1266 |
.B \f[CB]\-storetype\f[R] \f[I]storetype\f[R] |
1267 |
This qualifier specifies the type of keystore to be instantiated. |
|
1268 |
.RS |
|
1269 |
.RE |
|
21743 | 1270 |
.TP |
55140 | 1271 |
.B \f[CB]\-keystore\f[R] \f[I]keystore\f[R] |
1272 |
The keystore location. |
|
1273 |
.RS |
|
1274 |
.PP |
|
1275 |
If the JKS \f[CB]storetype\f[R] is used and a keystore file doesn\[aq]t |
|
1276 |
yet exist, then certain \f[CB]keytool\f[R] commands can result in a new |
|
1277 |
keystore file being created. |
|
1278 |
For example, if \f[CB]keytool\ \-genkeypair\f[R] is called and the |
|
1279 |
\f[CB]\-keystore\f[R] option isn\[aq]t specified, the default keystore |
|
1280 |
file named \f[CB]\&.keystore\f[R] is created in the user\[aq]s home |
|
1281 |
directory if it doesn\[aq]t already exist. |
|
1282 |
Similarly, if the \f[CB]\-keystore\ ks_file\f[R] option is specified but |
|
1283 |
\f[CB]ks_file\f[R] doesn\[aq]t exist, then it is created. |
|
1284 |
For more information on the JKS \f[CB]storetype\f[R], see the |
|
1285 |
\f[B]KeyStore Implementation\f[R] section in \f[B]KeyStore aliases\f[R]. |
|
1286 |
.PP |
|
1287 |
Note that the input stream from the \f[CB]\-keystore\f[R] option is passed |
|
1288 |
to the \f[CB]KeyStore.load\f[R] method. |
|
1289 |
If \f[CB]NONE\f[R] is specified as the URL, then a null stream is passed |
|
1290 |
to the \f[CB]KeyStore.load\f[R] method. |
|
1291 |
\f[CB]NONE\f[R] should be specified if the keystore isn\[aq]t file\-based. |
|
1292 |
For example, when the keystore resides on a hardware token device. |
|
1293 |
.RE |
|
21743 | 1294 |
.TP |
55140 | 1295 |
.B \f[CB]\-cacerts\f[R] \f[I]cacerts\f[R] |
1296 |
Operates on the \f[I]cacerts\f[R] keystore . |
|
1297 |
This option is equivalent to \f[CB]\-keystore\f[R] |
|
1298 |
\f[I]path_to_cacerts\f[R] \f[CB]\-storetype\f[R] \f[I]type_of_cacerts\f[R]. |
|
1299 |
An error is reported if the \f[CB]\-keystore\f[R] or \f[CB]\-storetype\f[R] |
|
1300 |
option is used with the \f[CB]\-cacerts\f[R] option. |
|
1301 |
.RS |
|
1302 |
.RE |
|
21743 | 1303 |
.TP |
55140 | 1304 |
.B \f[CB]\-storepass\f[R] [\f[CB]:env\f[R] | \f[CB]:file\f[R] ] \f[I]argument\f[R] |
1305 |
The password that is used to protect the integrity of the keystore. |
|
1306 |
.RS |
|
21743 | 1307 |
.PP |
55140 | 1308 |
If the modifier \f[CB]env\f[R] or \f[CB]file\f[R] isn\[aq]t specified, then |
1309 |
the password has the value \f[I]argument\f[R], which must contain at |
|
1310 |
least six characters. |
|
1311 |
Otherwise, the password is retrieved as follows: |
|
1312 |
.IP \[bu] 2 |
|
1313 |
\f[CB]env\f[R]: Retrieve the password from the environment variable named |
|
1314 |
\f[I]argument\f[R]. |
|
1315 |
.IP \[bu] 2 |
|
1316 |
\f[CB]file\f[R]: Retrieve the password from the file named |
|
1317 |
\f[I]argument\f[R]. |
|
21743 | 1318 |
.PP |
55140 | 1319 |
\f[B]Note:\f[R] All other options that require passwords, such as |
1320 |
\f[CB]\-keypass\f[R], \f[CB]\-srckeypass\f[R], \f[CB]\-destkeypass\f[R], |
|
1321 |
\f[CB]\-srcstorepass\f[R], and \f[CB]\-deststorepass\f[R], accept the |
|
1322 |
\f[CB]env\f[R] and \f[CB]file\f[R] modifiers. |
|
1323 |
Remember to separate the password option and the modifier with a colon |
|
1324 |
(:). |
|
21743 | 1325 |
.PP |
55140 | 1326 |
The password must be provided to all commands that access the keystore |
1327 |
contents. |
|
1328 |
For such commands, when the \f[CB]\-storepass\f[R] option isn\[aq]t |
|
1329 |
provided at the command line, the user is prompted for it. |
|
21743 | 1330 |
.PP |
55140 | 1331 |
When retrieving information from the keystore, the password is optional. |
1332 |
If a password is not specified, then the integrity of the retrieved |
|
1333 |
information can\[aq]t be verified and a warning is displayed. |
|
1334 |
.RE |
|
1335 |
.TP |
|
1336 |
.B \f[CB]\-providername\f[R] \f[I]name\f[R] |
|
1337 |
Used to identify a cryptographic service provider\[aq]s name when listed |
|
1338 |
in the security properties file. |
|
1339 |
.RS |
|
1340 |
.RE |
|
1341 |
.TP |
|
1342 |
.B \f[CB]\-addprovider\f[R] \f[I]name\f[R] |
|
1343 |
Used to add a security provider by name (such as SunPKCS11) . |
|
1344 |
.RS |
|
1345 |
.RE |
|
1346 |
.TP |
|
1347 |
.B \f[CB]\-providerclass\f[R] \f[I]class\f[R] |
|
1348 |
Used to specify the name of a cryptographic service provider\[aq]s |
|
1349 |
master class file when the service provider isn\[aq]t listed in the |
|
1350 |
security properties file. |
|
1351 |
.RS |
|
1352 |
.RE |
|
1353 |
.TP |
|
1354 |
.B \f[CB]\-providerpath\f[R] \f[I]list\f[R] |
|
1355 |
Used to specify the provider classpath. |
|
1356 |
.RS |
|
1357 |
.RE |
|
1358 |
.TP |
|
1359 |
.B \f[CB]\-providerarg\f[R] \f[I]arg\f[R] |
|
1360 |
Used with the \f[CB]\-addprovider\f[R] or \f[CB]\-providerclass\f[R] option |
|
1361 |
to represent an optional string input argument for the constructor of |
|
1362 |
\f[I]class\f[R] name. |
|
1363 |
.RS |
|
1364 |
.RE |
|
1365 |
.TP |
|
1366 |
.B \f[CB]\-protected=true\f[R]|\f[CB]false\f[R] |
|
1367 |
Specify this value as \f[CB]true\f[R] when a password must be specified by |
|
1368 |
way of a protected authentication path, such as a dedicated PIN reader. |
|
1369 |
Because there are two keystores involved in the |
|
1370 |
\f[CB]\-importkeystore\f[R] command, the following two options, |
|
1371 |
\f[CB]\-srcprotected\f[R] and \f[CB]\-destprotected\f[R], are provided for |
|
1372 |
the source keystore and the destination keystore respectively. |
|
1373 |
.RS |
|
1374 |
.RE |
|
1375 |
.TP |
|
1376 |
.B \f[CB]\-ext\f[R] {\f[I]name\f[R]{\f[CB]:critical\f[R]} {\f[CB]=\f[R]\f[I]value\f[R]}} |
|
1377 |
Denotes an X.509 certificate extension. |
|
1378 |
The option can be used in \f[CB]\-genkeypair\f[R] and \f[CB]\-gencert\f[R] |
|
1379 |
to embed extensions into the generated certificate, or in |
|
1380 |
\f[CB]\-certreq\f[R] to show what extensions are requested in the |
|
1381 |
certificate request. |
|
1382 |
The option can appear multiple times. |
|
1383 |
The \f[I]name\f[R] argument can be a supported extension name (see |
|
1384 |
\f[B]Supported Named Extensions\f[R]) or an arbitrary OID number. |
|
1385 |
The \f[I]value\f[R] argument, when provided, denotes the argument for the |
|
1386 |
extension. |
|
1387 |
When \f[I]value\f[R] is omitted, the default value of the extension or |
|
1388 |
the extension itself requires no argument. |
|
1389 |
The \f[CB]:critical\f[R] modifier, when provided, means the |
|
1390 |
extension\[aq]s \f[CB]isCritical\f[R] attribute is \f[CB]true\f[R]; |
|
1391 |
otherwise, it is \f[CB]false\f[R]. |
|
1392 |
You can use \f[CB]:c\f[R] in place of \f[CB]:critical\f[R]. |
|
1393 |
.RS |
|
1394 |
.RE |
|
1395 |
.TP |
|
1396 |
.B \f[CB]\-conf\f[R] \f[I]file\f[R] |
|
1397 |
Specifies a pre\-configured options file. |
|
1398 |
.RS |
|
1399 |
.RE |
|
1400 |
.SH PRE\-CONFIGURED OPTIONS FILE |
|
1401 |
.PP |
|
1402 |
A pre\-configured options file is a Java properties file that can be |
|
1403 |
specified with the \f[CB]\-conf\f[R] option. |
|
1404 |
Each property represents the default option(s) for a keytool command |
|
1405 |
using "keytool.\f[I]command_name\f[R]" as the property name. |
|
1406 |
A special property named "keytool.all" represents the default option(s) |
|
1407 |
applied to all commands. |
|
1408 |
A property value can include \f[CB]${prop}\f[R] which will be expanded to |
|
1409 |
the system property associated with it. |
|
1410 |
If an option value includes white spaces inside, it should be surrounded |
|
1411 |
by quotation marks (" or \[aq]). |
|
1412 |
All property names must be in lower case. |
|
1413 |
.PP |
|
1414 |
When \f[CB]keytool\f[R] is launched with a pre\-configured options file, |
|
1415 |
the value for "keytool.all" (if it exists) is prepended to the |
|
1416 |
\f[CB]keytool\f[R] command line first, with the value for the command name |
|
1417 |
(if it exists) comes next, and the existing options on the command line |
|
1418 |
at last. |
|
1419 |
For a single\-valued option, this allows the property for a specific |
|
1420 |
command to override the "keytool.all" value, and the value specified on |
|
1421 |
the command line to override both. |
|
1422 |
For multiple\-valued options, all of them will be used by |
|
1423 |
\f[CB]keytool\f[R]. |
|
1424 |
.PP |
|
1425 |
For example, given the following file named \f[CB]preconfig\f[R]: |
|
1426 |
.IP |
|
1427 |
.nf |
|
1428 |
\f[CB] |
|
1429 |
\ \ \ \ #\ A\ tiny\ pre\-configured\ options\ file |
|
1430 |
\ \ \ \ keytool.all\ =\ \-keystore\ ${user.home}/ks |
|
1431 |
\ \ \ \ keytool.list\ =\ \-v |
|
1432 |
\ \ \ \ keytool.genkeypair\ =\ \-keyalg\ rsa |
|
1433 |
\f[R] |
|
1434 |
.fi |
|
1435 |
.PP |
|
1436 |
\f[CB]keytool\ \-conf\ preconfig\ \-list\f[R] is identical to |
|
1437 |
.RS |
|
1438 |
.PP |
|
1439 |
\f[CB]keytool\ \-keystore\ ~/ks\ \-v\ \-list\f[R] |
|
1440 |
.RE |
|
1441 |
.PP |
|
1442 |
\f[CB]keytool\ \-conf\ preconfig\ \-genkeypair\ \-alias\ me\f[R] is |
|
1443 |
identical to |
|
1444 |
.RS |
|
1445 |
.PP |
|
1446 |
\f[CB]keytool\ \-keystore\ ~/ks\ \-keyalg\ rsa\ \-genkeypair\ \-alias\ me\f[R] |
|
1447 |
.RE |
|
1448 |
.PP |
|
1449 |
\f[CB]keytool\ \-conf\ preconfig\ \-genkeypair\ \-alias\ you\ \-keyalg\ ec\f[R] |
|
1450 |
is identical to |
|
1451 |
.RS |
|
1452 |
.PP |
|
1453 |
\f[CB]keytool\ \-keystore\ ~/ks\ \-keyalg\ rsa\ \-genkeypair\ \-alias\ you\ \-keyalg\ ec\f[R] |
|
1454 |
.RE |
|
1455 |
.PP |
|
1456 |
which is equivalent to |
|
1457 |
.RS |
|
1458 |
.PP |
|
1459 |
\f[CB]keytool\ \-keystore\ ~/ks\ \-genkeypair\ \-alias\ you\ \-keyalg\ ec\f[R] |
|
1460 |
.RE |
|
1461 |
.PP |
|
1462 |
because \f[CB]\-keyalg\f[R] is a single\-valued option and the \f[CB]ec\f[R] |
|
1463 |
value specified on the command line overrides the preconfigured options |
|
1464 |
file. |
|
1465 |
.SH EXAMPLES OF OPTION VALUES |
|
1466 |
.PP |
|
1467 |
The following examples show the defaults for various option values: |
|
1468 |
.IP |
|
1469 |
.nf |
|
1470 |
\f[CB] |
|
1471 |
\-alias\ "mykey" |
|
21743 | 1472 |
|
55140 | 1473 |
\-keyalg |
1474 |
\ \ \ \ "DSA"\ (when\ using\ \-genkeypair) |
|
1475 |
\ \ \ \ "DES"\ (when\ using\ \-genseckey) |
|
21743 | 1476 |
|
55140 | 1477 |
\-keysize |
1478 |
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "RSA") |
|
1479 |
\ \ \ \ 2048\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "DSA") |
|
1480 |
\ \ \ \ 256\ (when\ using\ \-genkeypair\ and\ \-keyalg\ is\ "EC") |
|
1481 |
\ \ \ \ 56\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DES") |
|
1482 |
\ \ \ \ 168\ (when\ using\ \-genseckey\ and\ \-keyalg\ is\ "DESede") |
|
21743 | 1483 |
|
55140 | 1484 |
\-validity\ 90 |
21743 | 1485 |
|
55140 | 1486 |
\-keystore\ <the\ file\ named\ .keystore\ in\ the\ user\[aq]s\ home\ directory> |
21743 | 1487 |
|
55140 | 1488 |
\-destkeystore\ <the\ file\ named\ .keystore\ in\ the\ user\[aq]s\ home\ directory> |
21743 | 1489 |
|
55140 | 1490 |
\-storetype\ <the\ value\ of\ the\ "keystore.type"\ property\ in\ the |
1491 |
\ \ \ \ security\ properties\ file,\ which\ is\ returned\ by\ the\ static |
|
1492 |
\ \ \ \ getDefaultType\ method\ in\ java.security.KeyStore> |
|
21743 | 1493 |
|
55140 | 1494 |
\-file |
1495 |
\ \ \ \ stdin\ (if\ reading) |
|
1496 |
\ \ \ \ stdout\ (if\ writing) |
|
31876
91b22707521a
8131105: Header Template for nroff man pages *.1 files contains errors
mfang
parents:
21743
diff
changeset
|
1497 |
|
55140 | 1498 |
\-protected\ false |
1499 |
\f[R] |
|
1500 |
.fi |
|
1501 |
.PP |
|
1502 |
When generating a certificate or a certificate request, the default |
|
1503 |
signature algorithm (\f[CB]\-sigalg\f[R] option) is derived from the |
|
1504 |
algorithm of the underlying private key to provide an appropriate level |
|
1505 |
of security strength as follows: |
|
1506 |
.PP |
|
1507 |
.TS |
|
1508 |
tab(@); |
|
1509 |
l l l. |
|
1510 |
T{ |
|
1511 |
keyalg |
|
1512 |
T}@T{ |
|
1513 |
keysize |
|
1514 |
T}@T{ |
|
1515 |
default sigalg |
|
1516 |
T} |
|
1517 |
_ |
|
1518 |
T{ |
|
1519 |
DSA |
|
1520 |
T}@T{ |
|
1521 |
any size |
|
1522 |
T}@T{ |
|
1523 |
SHA256withDSA |
|
1524 |
T} |
|
1525 |
T{ |
|
1526 |
RSA \ \ \ |
|
1527 |
T}@T{ |
|
1528 |
<= 3072 |
|
1529 |
T}@T{ |
|
1530 |
SHA256withRSA |
|
1531 |
T} |
|
1532 |
T{ |
|
1533 |
T}@T{ |
|
1534 |
<= 7680 |
|
1535 |
T}@T{ |
|
1536 |
SHA384withRSA |
|
1537 |
T} |
|
1538 |
T{ |
|
1539 |
T}@T{ |
|
1540 |
> 7680 |
|
1541 |
T}@T{ |
|
1542 |
SHA512withRSA |
|
1543 |
T} |
|
1544 |
T{ |
|
1545 |
EC |
|
1546 |
T}@T{ |
|
1547 |
< 384 |
|
1548 |
T}@T{ |
|
1549 |
SHA256withECDSA |
|
1550 |
T} |
|
1551 |
T{ |
|
1552 |
T}@T{ |
|
1553 |
< 512 |
|
1554 |
T}@T{ |
|
1555 |
SHA384withECDSA |
|
1556 |
T} |
|
1557 |
T{ |
|
1558 |
T}@T{ |
|
1559 |
= 512 |
|
1560 |
T}@T{ |
|
1561 |
SHA512withECDSA |
|
1562 |
T} |
|
1563 |
.TE |
|
1564 |
.PP |
|
1565 |
\f[B]Note:\f[R] |
|
1566 |
.PP |
|
1567 |
To improve out of the box security, default key size and signature |
|
1568 |
algorithm names are periodically updated to stronger values with each |
|
1569 |
release of the JDK. |
|
1570 |
If interoperability with older releases of the JDK is important, make |
|
1571 |
sure that the defaults are supported by those releases. |
|
1572 |
Alternatively, you can use the \f[CB]\-keysize\f[R] or \f[CB]\-sigalg\f[R] |
|
1573 |
options to override the default values at your own risk. |
|
1574 |
.SH SUPPORTED NAMED EXTENSIONS |
|
1575 |
.PP |
|
1576 |
The \f[CB]keytool\f[R] command supports these named extensions. |
|
1577 |
The names aren\[aq]t case\-sensitive. |
|
21743 | 1578 |
.TP |
55140 | 1579 |
.B \f[CB]BC\f[R] or \f[CB]BasicContraints\f[R] |
1580 |
Values: |
|
1581 |
.RS |
|
1582 |
.PP |
|
1583 |
The full form is |
|
1584 |
\f[CB]ca:\f[R]{\f[CB]true\f[R]|\f[CB]false\f[R]}[\f[CB],pathlen:\f[R]\f[I]len\f[R]] |
|
1585 |
or \f[I]len\f[R], which is short for |
|
1586 |
\f[CB]ca:true,pathlen:\f[R]\f[I]len\f[R]. |
|
1587 |
.PP |
|
1588 |
When \f[I]len\f[R] is omitted, the resulting value is \f[CB]ca:true\f[R]. |
|
1589 |
.RE |
|
1590 |
.TP |
|
1591 |
.B \f[CB]KU\f[R] or \f[CB]KeyUsage\f[R] |
|
1592 |
Values: |
|
1593 |
.RS |
|
1594 |
.PP |
|
1595 |
\f[I]usage\f[R](\f[CB],\f[R] \f[I]usage\f[R])* |
|
21743 | 1596 |
.PP |
55140 | 1597 |
\f[I]usage\f[R] can be one of the following: |
1598 |
.IP \[bu] 2 |
|
1599 |
\f[CB]digitalSignature\f[R] |
|
1600 |
.IP \[bu] 2 |
|
1601 |
\f[CB]nonRepudiation\f[R] (\f[CB]contentCommitment\f[R]) |
|
1602 |
.IP \[bu] 2 |
|
1603 |
\f[CB]keyEncipherment\f[R] |
|
1604 |
.IP \[bu] 2 |
|
1605 |
\f[CB]dataEncipherment\f[R] |
|
1606 |
.IP \[bu] 2 |
|
1607 |
\f[CB]keyAgreement\f[R] |
|
1608 |
.IP \[bu] 2 |
|
1609 |
\f[CB]keyCertSign\f[R] |
|
1610 |
.IP \[bu] 2 |
|
1611 |
\f[CB]cRLSign\f[R] |
|
1612 |
.IP \[bu] 2 |
|
1613 |
\f[CB]encipherOnly\f[R] |
|
1614 |
.IP \[bu] 2 |
|
1615 |
\f[CB]decipherOnly\f[R] |
|
21743 | 1616 |
.PP |
55140 | 1617 |
Provided there is no ambiguity, the \f[I]usage\f[R] argument can be |
1618 |
abbreviated with the first few letters (such as \f[CB]dig\f[R] for |
|
1619 |
\f[CB]digitalSignature\f[R]) or in camel\-case style (such as \f[CB]dS\f[R] |
|
1620 |
for \f[CB]digitalSignature\f[R] or \f[CB]cRLS\f[R] for \f[CB]cRLSign\f[R]). |
|
1621 |
The \f[I]usage\f[R] values are case\-sensitive. |
|
1622 |
.RE |
|
1623 |
.TP |
|
1624 |
.B \f[CB]EKU\f[R] or \f[CB]ExtendedKeyUsage\f[R] |
|
1625 |
Values: |
|
1626 |
.RS |
|
1627 |
.PP |
|
1628 |
\f[I]usage\f[R](\f[CB],\f[R] \f[I]usage\f[R])* |
|
21743 | 1629 |
.PP |
55140 | 1630 |
\f[I]usage\f[R] can be one of the following: |
1631 |
.IP \[bu] 2 |
|
1632 |
\f[CB]anyExtendedKeyUsage\f[R] |
|
1633 |
.IP \[bu] 2 |
|
1634 |
\f[CB]serverAuth\f[R] |
|
1635 |
.IP \[bu] 2 |
|
1636 |
\f[CB]clientAuth\f[R] |
|
1637 |
.IP \[bu] 2 |
|
1638 |
\f[CB]codeSigning\f[R] |
|
1639 |
.IP \[bu] 2 |
|
1640 |
\f[CB]emailProtection\f[R] |
|
1641 |
.IP \[bu] 2 |
|
1642 |
\f[CB]timeStamping\f[R] |
|
1643 |
.IP \[bu] 2 |
|
1644 |
\f[CB]OCSPSigning\f[R] |
|
1645 |
.IP \[bu] 2 |
|
1646 |
Any OID string |
|
1647 |
.PP |
|
1648 |
Provided there is no ambiguity, the \f[I]usage\f[R] argument can be |
|
1649 |
abbreviated with the first few letters or in camel\-case style. |
|
1650 |
The \f[I]usage\f[R] values are case\-sensitive. |
|
1651 |
.RE |
|
1652 |
.TP |
|
1653 |
.B \f[CB]SAN\f[R] or \f[CB]SubjectAlternativeName\f[R] |
|
1654 |
Values: |
|
1655 |
.RS |
|
1656 |
.PP |
|
1657 |
\f[I]type\f[R]\f[CB]:\f[R]\f[I]value\f[R](\f[CB],\f[R] |
|
1658 |
\f[I]type\f[R]\f[CB]:\f[R]\f[I]value\f[R])* |
|
21743 | 1659 |
.PP |
55140 | 1660 |
\f[I]type\f[R] can be one of the following: |
1661 |
.IP \[bu] 2 |
|
1662 |
\f[CB]EMAIL\f[R] |
|
1663 |
.IP \[bu] 2 |
|
1664 |
\f[CB]URI\f[R] |
|
1665 |
.IP \[bu] 2 |
|
1666 |
\f[CB]DNS\f[R] |
|
1667 |
.IP \[bu] 2 |
|
1668 |
\f[CB]IP\f[R] |
|
1669 |
.IP \[bu] 2 |
|
1670 |
\f[CB]OID\f[R] |
|
21743 | 1671 |
.PP |
55140 | 1672 |
The \f[I]value\f[R] argument is the string format value for the |
1673 |
\f[I]type\f[R]. |
|
1674 |
.RE |
|
1675 |
.TP |
|
1676 |
.B \f[CB]IAN\f[R] or \f[CB]IssuerAlternativeName\f[R] |
|
1677 |
Values: |
|
1678 |
.RS |
|
21743 | 1679 |
.PP |
55140 | 1680 |
Same as \f[CB]SAN\f[R] or \f[CB]SubjectAlternativeName\f[R]. |
1681 |
.RE |
|
1682 |
.TP |
|
1683 |
.B \f[CB]SIA\f[R] or \f[CB]SubjectInfoAccess\f[R] |
|
1684 |
Values: |
|
1685 |
.RS |
|
1686 |
.PP |
|
1687 |
\f[I]method\f[R]\f[CB]:\f[R]\f[I]location\-type\f[R]\f[CB]:\f[R]\f[I]location\-value\f[R](\f[CB],\f[R] |
|
1688 |
\f[I]method\f[R]\f[CB]:\f[R]\f[I]location\-type\f[R]\f[CB]:\f[R]\f[I]location\-value\f[R])* |
|
1689 |
.PP |
|
1690 |
\f[I]method\f[R] can be one of the following: |
|
1691 |
.IP \[bu] 2 |
|
1692 |
\f[CB]timeStamping\f[R] |
|
1693 |
.IP \[bu] 2 |
|
1694 |
\f[CB]caRepository\f[R] |
|
1695 |
.IP \[bu] 2 |
|
1696 |
Any OID |
|
21743 | 1697 |
.PP |
55140 | 1698 |
The \f[I]location\-type\f[R] and \f[I]location\-value\f[R] arguments can |
1699 |
be any \f[I]type\f[R]\f[CB]:\f[R]\f[I]value\f[R] supported by the |
|
1700 |
\f[CB]SubjectAlternativeName\f[R] extension. |
|
1701 |
.RE |
|
1702 |
.TP |
|
1703 |
.B \f[CB]AIA\f[R] or \f[CB]AuthorityInfoAccess\f[R] |
|
1704 |
Values: |
|
1705 |
.RS |
|
1706 |
.PP |
|
1707 |
Same as \f[CB]SIA\f[R] or \f[CB]SubjectInfoAccess\f[R]. |
|
1708 |
.PP |
|
1709 |
The \f[I]method\f[R] argument can be one of the following: |
|
1710 |
.IP \[bu] 2 |
|
1711 |
\f[CB]ocsp\f[R] |
|
1712 |
.IP \[bu] 2 |
|
1713 |
\f[CB]caIssuers\f[R] |
|
1714 |
.IP \[bu] 2 |
|
1715 |
Any OID |
|
1716 |
.RE |
|
1717 |
.PP |
|
1718 |
When \f[I]name\f[R] is OID, the value is the hexadecimal dumped Definite |
|
1719 |
Encoding Rules (DER) encoding of the \f[CB]extnValue\f[R] for the |
|
1720 |
extension excluding the OCTET STRING type and length bytes. |
|
1721 |
Other than standard hexadecimal numbers (0\-9, a\-f, A\-F), any extra |
|
1722 |
characters are ignored in the HEX string. |
|
1723 |
Therefore, both 01:02:03:04 and 01020304 are accepted as identical |
|
1724 |
values. |
|
1725 |
When there is no value, the extension has an empty value field. |
|
1726 |
.PP |
|
1727 |
A special name \f[CB]honored\f[R], used only in \f[CB]\-gencert\f[R], |
|
1728 |
denotes how the extensions included in the certificate request should be |
|
1729 |
honored. |
|
1730 |
The value for this name is a comma\-separated list of \f[CB]all\f[R] (all |
|
1731 |
requested extensions are honored), |
|
1732 |
\f[I]name\f[R]{\f[CB]:\f[R][\f[CB]critical\f[R]|\f[CB]non\-critical\f[R]]} (the |
|
1733 |
named extension is honored, but it uses a different \f[CB]isCritical\f[R] |
|
1734 |
attribute), and \f[CB]\-name\f[R] (used with \f[CB]all\f[R], denotes an |
|
1735 |
exception). |
|
1736 |
Requested extensions aren\[aq]t honored by default. |
|
21743 | 1737 |
.PP |
55140 | 1738 |
If, besides the\f[CB]\-ext\ honored\f[R] option, another named or OID |
1739 |
\f[CB]\-ext\f[R] option is provided, this extension is added to those |
|
1740 |
already honored. |
|
1741 |
However, if this name (or OID) also appears in the honored value, then |
|
1742 |
its value and criticality override that in the request. |
|
1743 |
If an extension of the same type is provided multiple times through |
|
1744 |
either a name or an OID, only the last extension is used. |
|
1745 |
.PP |
|
1746 |
The \f[CB]subjectKeyIdentifier\f[R] extension is always created. |
|
1747 |
For non\-self\-signed certificates, the \f[CB]authorityKeyIdentifier\f[R] |
|
1748 |
is created. |
|
1749 |
.PP |
|
1750 |
\f[B]CAUTION:\f[R] |
|
1751 |
.PP |
|
1752 |
Users should be aware that some combinations of extensions (and other |
|
1753 |
certificate fields) may not conform to the Internet standard. |
|
1754 |
See \f[B]Certificate Conformance Warning\f[R]. |
|
1755 |
.SH EXAMPLES OF TASKS IN CREATING A KEYSTORE |
|
21743 | 1756 |
.PP |
55140 | 1757 |
The following examples describe the sequence actions in creating a |
1758 |
keystore for managing public/private key pairs and certificates from |
|
1759 |
trusted entities. |
|
1760 |
.IP \[bu] 2 |
|
1761 |
\f[B]Generating the Key Pair\f[R] |
|
1762 |
.IP \[bu] 2 |
|
1763 |
\f[B]Requesting a Signed Certificate from a CA\f[R] |
|
1764 |
.IP \[bu] 2 |
|
1765 |
\f[B]Importing a Certificate for the CA\f[R] |
|
1766 |
.IP \[bu] 2 |
|
1767 |
\f[B]Importing the Certificate Reply from the CA\f[R] |
|
1768 |
.IP \[bu] 2 |
|
1769 |
\f[B]Exporting a Certificate That Authenticates the Public Key\f[R] |
|
1770 |
.IP \[bu] 2 |
|
1771 |
\f[B]Importing the Keystore\f[R] |
|
1772 |
.IP \[bu] 2 |
|
1773 |
\f[B]Generating Certificates for an SSL Server\f[R] |
|
1774 |
.SH GENERATING THE KEY PAIR |
|
1775 |
.PP |
|
1776 |
Create a keystore and then generate the key pair. |
|
21743 | 1777 |
.PP |
55140 | 1778 |
You can enter the command as a single line such as the following: |
1779 |
.RS |
|
1780 |
.PP |
|
1781 |
\f[CB]keytool\ \-genkeypair\ \-dname\ "cn=myname,\ ou=mygroup,\ o=mycompany,\ c=mycountry"\ \-alias\ business\ \-keypass\f[R] |
|
1782 |
\f[I]password\f[R] |
|
1783 |
\f[CB]\-keystore\ /working/mykeystore\ \-storepass\ password\ \-validity\ 180\f[R] |
|
1784 |
.RE |
|
1785 |
.PP |
|
1786 |
The command creates the keystore named \f[CB]mykeystore\f[R] in the |
|
1787 |
working directory (provided it doesn\[aq]t already exist), and assigns |
|
1788 |
it the password specified by \f[CB]\-keypass\f[R]. |
|
1789 |
It generates a public/private key pair for the entity whose |
|
1790 |
distinguished name is \f[CB]myname\f[R], \f[CB]mygroup\f[R], |
|
1791 |
\f[CB]mycompany\f[R], and a two\-letter country code of |
|
1792 |
\f[CB]mycountry\f[R]. |
|
1793 |
It uses the default DSA key generation algorithm to create the keys; |
|
1794 |
both are 2048 bits |
|
1795 |
.PP |
|
1796 |
The command uses the default SHA256withDSA signature algorithm to create |
|
1797 |
a self\-signed certificate that includes the public key and the |
|
1798 |
distinguished name information. |
|
1799 |
The certificate is valid for 180 days, and is associated with the |
|
1800 |
private key in a keystore entry referred to by |
|
1801 |
\f[CB]\-alias\ business\f[R]. |
|
1802 |
The private key is assigned the password specified by |
|
1803 |
\f[CB]\-keypass\f[R]. |
|
1804 |
.PP |
|
1805 |
The command is significantly shorter when the option defaults are |
|
1806 |
accepted. |
|
1807 |
In this case, no options are required, and the defaults are used for |
|
1808 |
unspecified options that have default values. |
|
1809 |
You are prompted for any required values. |
|
1810 |
You could have the following: |
|
1811 |
.RS |
|
1812 |
.PP |
|
1813 |
\f[CB]keytool\ \-genkeypair\f[R] |
|
1814 |
.RE |
|
1815 |
.PP |
|
1816 |
In this case, a keystore entry with the alias \f[CB]mykey\f[R] is created, |
|
1817 |
with a newly generated key pair and a certificate that is valid for 90 |
|
1818 |
days. |
|
1819 |
This entry is placed in your home directory in a keystore named |
|
1820 |
\f[CB]\&.keystore\f[R] . |
|
1821 |
\f[CB]\&.keystore\f[R] is created if it doesn\[aq]t already exist. |
|
1822 |
You are prompted for the distinguished name information, the keystore |
|
1823 |
password, and the private key password. |
|
1824 |
.PP |
|
1825 |
\f[B]Note:\f[R] |
|
1826 |
.PP |
|
1827 |
The rest of the examples assume that you executed the |
|
1828 |
\f[CB]\-genkeypair\f[R] command without specifying options, and that you |
|
1829 |
responded to the prompts with values equal to those specified in the |
|
1830 |
first \f[CB]\-genkeypair\f[R] command. |
|
1831 |
For example, a distinguished name of |
|
1832 |
\f[CB]cn=\f[R]\f[I]myname\f[R]\f[CB],\ ou=\f[R]\f[I]mygroup\f[R]\f[CB],\ o=\f[R]\f[I]mycompany\f[R]\f[CB],\ c=\f[R]\f[I]mycountry\f[R]). |
|
1833 |
.SH REQUESTING A SIGNED CERTIFICATE FROM A CA |
|
1834 |
.PP |
|
1835 |
\f[B]Note:\f[R] |
|
1836 |
.PP |
|
1837 |
Generating the key pair created a self\-signed certificate; however, a |
|
1838 |
certificate is more likely to be trusted by others when it is signed by |
|
1839 |
a CA. |
|
1840 |
.PP |
|
1841 |
To get a CA signature, complete the following process: |
|
1842 |
.IP "1." 3 |
|
1843 |
Generate a CSR: |
|
1844 |
.RS 4 |
|
1845 |
.RS |
|
1846 |
.PP |
|
1847 |
\f[CB]keytool\ \-certreq\ \-file\ myname.csr\f[R] |
|
1848 |
.RE |
|
1849 |
.PP |
|
1850 |
This creates a CSR for the entity identified by the default alias |
|
1851 |
\f[CB]mykey\f[R] and puts the request in the file named |
|
1852 |
\f[CB]myname.csr\f[R]. |
|
1853 |
.RE |
|
1854 |
.IP "2." 3 |
|
1855 |
Submit \f[CB]myname.csr\f[R] to a CA, such as DigiCert. |
|
1856 |
.PP |
|
1857 |
The CA authenticates you, the requestor (usually offline), and returns a |
|
1858 |
certificate, signed by them, authenticating your public key. |
|
1859 |
In some cases, the CA returns a chain of certificates, each one |
|
1860 |
authenticating the public key of the signer of the previous certificate |
|
1861 |
in the chain. |
|
1862 |
.SH IMPORTING A CERTIFICATE FOR THE CA |
|
1863 |
.PP |
|
1864 |
To import a certificate for the CA, complete the following process: |
|
1865 |
.IP "1." 3 |
|
1866 |
Before you import the certificate reply from a CA, you need one or more |
|
1867 |
trusted certificates either in your keystore or in the \f[CB]cacerts\f[R] |
|
1868 |
keystore file. |
|
1869 |
See \f[CB]\-importcert\f[R] in \f[B]Commands\f[R]. |
|
1870 |
.RS 4 |
|
1871 |
.IP \[bu] 2 |
|
1872 |
If the certificate reply is a certificate chain, then you need the top |
|
1873 |
certificate of the chain. |
|
1874 |
The root CA certificate that authenticates the public key of the CA. |
|
1875 |
.IP \[bu] 2 |
|
1876 |
If the certificate reply is a single certificate, then you need a |
|
1877 |
certificate for the issuing CA (the one that signed it). |
|
1878 |
If that certificate isn\[aq]t self\-signed, then you need a certificate |
|
1879 |
for its signer, and so on, up to a self\-signed root CA certificate. |
|
1880 |
.PP |
|
1881 |
The \f[CB]cacerts\f[R] keystore ships with a set of root certificates |
|
1882 |
issued by the CAs of \f[B]the Oracle Java Root Certificate program\f[R] |
|
1883 |
[http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram\-1876540.html]. |
|
1884 |
If you request a signed certificate from a CA, and a certificate |
|
1885 |
authenticating that CA\[aq]s public key hasn\[aq]t been added to |
|
1886 |
\f[CB]cacerts\f[R], then you must import a certificate from that CA as a |
|
1887 |
trusted certificate. |
|
1888 |
.PP |
|
1889 |
A certificate from a CA is usually self\-signed or signed by another CA. |
|
1890 |
If it is signed by another CA, you need a certificate that authenticates |
|
1891 |
that CA\[aq]s public key. |
|
1892 |
.PP |
|
1893 |
For example, you have obtained a \f[I]X\f[R]\f[CB]\&.cer\f[R] file from a |
|
1894 |
company that is a CA and the file is supposed to be a self\-signed |
|
1895 |
certificate that authenticates that CA\[aq]s public key. |
|
1896 |
Before you import it as a trusted certificate, you should ensure that |
|
1897 |
the certificate is valid by: |
|
1898 |
.IP "1." 3 |
|
1899 |
Viewing it with the \f[CB]keytool\ \-printcert\f[R] command or the |
|
1900 |
\f[CB]keytool\ \-importcert\f[R] command without using the |
|
1901 |
\f[CB]\-noprompt\f[R] option. |
|
1902 |
Make sure that the displayed certificate fingerprints match the expected |
|
1903 |
fingerprints. |
|
1904 |
.IP "2." 3 |
|
1905 |
Calling the person who sent the certificate, and comparing the |
|
1906 |
fingerprints that you see with the ones that they show or that a secure |
|
1907 |
public key repository shows. |
|
1908 |
.PP |
|
1909 |
Only when the fingerprints are equal is it assured that the certificate |
|
1910 |
wasn\[aq]t replaced in transit with somebody else\[aq]s certificate |
|
1911 |
(such as an attacker\[aq]s certificate). |
|
1912 |
If such an attack takes place, and you didn\[aq]t check the certificate |
|
1913 |
before you imported it, then you would be trusting anything that the |
|
1914 |
attacker signed. |
|
1915 |
.RE |
|
1916 |
.IP "2." 3 |
|
1917 |
Replace the self\-signed certificate with a certificate chain, where |
|
1918 |
each certificate in the chain authenticates the public key of the signer |
|
1919 |
of the previous certificate in the chain, up to a root CA. |
|
1920 |
.RS 4 |
|
1921 |
.PP |
|
1922 |
If you trust that the certificate is valid, then you can add it to your |
|
1923 |
keystore by entering the following command: |
|
1924 |
.RS |
|
1925 |
.PP |
|
1926 |
\f[CB]keytool\ \-importcert\ \-alias\f[R] \f[I]alias\f[R] |
|
1927 |
\f[CB]\-file\ *X*\f[R].cer` |
|
1928 |
.RE |
|
1929 |
.PP |
|
1930 |
This command creates a trusted certificate entry in the keystore from |
|
1931 |
the data in the CA certificate file and assigns the values of the |
|
1932 |
\f[I]alias\f[R] to the entry. |
|
1933 |
.RE |
|
1934 |
.SH IMPORTING THE CERTIFICATE REPLY FROM THE CA |
|
1935 |
.PP |
|
1936 |
After you import a certificate that authenticates the public key of the |
|
1937 |
CA that you submitted your certificate signing request to (or there is |
|
1938 |
already such a certificate in the \f[CB]cacerts\f[R] file), you can import |
|
1939 |
the certificate reply and replace your self\-signed certificate with a |
|
1940 |
certificate chain. |
|
1941 |
.PP |
|
1942 |
The certificate chain is one of the following: |
|
1943 |
.IP \[bu] 2 |
|
1944 |
Returned by the CA when the CA reply is a chain. |
|
1945 |
.IP \[bu] 2 |
|
1946 |
Constructed when the CA reply is a single certificate. |
|
1947 |
This certificate chain is constructed by using the certificate reply and |
|
1948 |
trusted certificates available either in the keystore where you import |
|
1949 |
the reply or in the \f[CB]cacerts\f[R] keystore file. |
|
1950 |
.PP |
|
1951 |
For example, if you sent your certificate signing request to DigiCert, |
|
1952 |
then you can import their reply by entering the following command: |
|
1953 |
.PP |
|
1954 |
\f[B]Note:\f[R] |
|
1955 |
.PP |
|
1956 |
In this example, the returned certificate is named |
|
1957 |
\f[CB]DCmyname.cer\f[R]. |
|
1958 |
.RS |
|
1959 |
.PP |
|
1960 |
\f[CB]keytool\ \-importcert\ \-trustcacerts\ \-file\ DCmyname.cer\f[R] |
|
1961 |
.RE |
|
1962 |
.SH EXPORTING A CERTIFICATE THAT AUTHENTICATES THE PUBLIC KEY |
|
1963 |
.PP |
|
1964 |
\f[B]Note:\f[R] |
|
1965 |
.PP |
|
1966 |
If you used the \f[CB]jarsigner\f[R] command to sign a Java Archive (JAR) |
|
1967 |
file, then clients that use the file will want to authenticate your |
|
1968 |
signature. |
|
1969 |
.PP |
|
1970 |
One way that clients can authenticate you is by importing your public |
|
1971 |
key certificate into their keystore as a trusted entry. |
|
1972 |
You can then export the certificate and supply it to your clients. |
|
1973 |
.PP |
|
1974 |
For example: |
|
1975 |
.IP "1." 3 |
|
1976 |
Copy your certificate to a file named \f[CB]myname.cer\f[R] by entering |
|
1977 |
the following command: |
|
1978 |
.RS 4 |
|
1979 |
.PP |
|
1980 |
\f[B]Note:\f[R] |
|
1981 |
.PP |
|
1982 |
In this example, the entry has an alias of \f[CB]mykey\f[R]. |
|
1983 |
.RS |
|
1984 |
.PP |
|
1985 |
\f[CB]keytool\ \-exportcert\ \-alias\ mykey\ \-file\ myname.cer\f[R] |
|
1986 |
.RE |
|
1987 |
.RE |
|
1988 |
.IP "2." 3 |
|
1989 |
With the certificate and the signed JAR file, a client can use the |
|
1990 |
\f[CB]jarsigner\f[R] command to authenticate your signature. |
|
1991 |
.SH IMPORTING THE KEYSTORE |
|
1992 |
.PP |
|
1993 |
Use the \f[CB]importkeystore\f[R] command to import an entire keystore |
|
1994 |
into another keystore. |
|
1995 |
This imports all entries from the source keystore, including keys and |
|
1996 |
certificates, to the destination keystore with a single command. |
|
1997 |
You can use this command to import entries from a different type of |
|
1998 |
keystore. |
|
1999 |
During the import, all new entries in the destination keystore will have |
|
2000 |
the same alias names and protection passwords (for secret keys and |
|
2001 |
private keys). |
|
2002 |
If the \f[CB]keytool\f[R] command can\[aq]t recover the private keys or |
|
2003 |
secret keys from the source keystore, then it prompts you for a |
|
2004 |
password. |
|
2005 |
If it detects alias duplication, then it asks you for a new alias, and |
|
2006 |
you can specify a new alias or simply allow the \f[CB]keytool\f[R] command |
|
2007 |
to overwrite the existing one. |
|
2008 |
.PP |
|
2009 |
For example, import entries from a typical JKS type keystore |
|
2010 |
\f[CB]key.jks\f[R] into a PKCS #11 type hardware\-based keystore, by |
|
2011 |
entering the following command: |
|
2012 |
.RS |
|
2013 |
.PP |
|
2014 |
\f[CB]keytool\ \-importkeystore\ \-srckeystore\ key.jks\ \-destkeystore\ NONE\ \-srcstoretype\ JKS\ \-deststoretype\ PKCS11\ \-srcstorepass\f[R] |
|
2015 |
\f[I]password\f[R] \f[CB]\-deststorepass\f[R] \f[I]password\f[R] |
|
2016 |
.RE |
|
2017 |
.PP |
|
2018 |
The \f[CB]importkeystore\f[R] command can also be used to import a single |
|
2019 |
entry from a source keystore to a destination keystore. |
|
2020 |
In this case, besides the options you used in the previous example, you |
|
2021 |
need to specify the alias you want to import. |
|
2022 |
With the \f[CB]\-srcalias\f[R] option specified, you can also specify the |
|
2023 |
destination alias name, protection password for a secret or private key, |
|
2024 |
and the destination protection password you want as follows: |
|
2025 |
.RS |
|
2026 |
.PP |
|
2027 |
\f[CB]keytool\ \-importkeystore\ \-srckeystore\ key.jks\ \-destkeystore\ NONE\ \-srcstoretype\ JKS\ \-deststoretype\ PKCS11\ \-srcstorepass\f[R] |
|
2028 |
\f[I]password\f[R] \f[CB]\-deststorepass\f[R] \f[I]password\f[R] |
|
2029 |
\f[CB]\-srcalias\ myprivatekey\ \-destalias\ myoldprivatekey\ \-srckeypass\f[R] |
|
2030 |
\f[I]password\f[R] \f[CB]\-destkeypass\f[R] \f[I]password\f[R] |
|
2031 |
\f[CB]\-noprompt\f[R] |
|
2032 |
.RE |
|
2033 |
.SH GENERATING CERTIFICATES FOR AN SSL SERVER |
|
2034 |
.PP |
|
2035 |
The following are \f[CB]keytool\f[R] commands used to generate key pairs |
|
2036 |
and certificates for three entities: |
|
2037 |
.IP \[bu] 2 |
|
2038 |
Root CA (\f[CB]root\f[R]) |
|
2039 |
.IP \[bu] 2 |
|
2040 |
Intermediate CA (\f[CB]ca\f[R]) |
|
2041 |
.IP \[bu] 2 |
|
2042 |
SSL server (\f[CB]server\f[R]) |
|
2043 |
.PP |
|
2044 |
Ensure that you store all the certificates in the same keystore. |
|
2045 |
In the following examples, RSA is the recommended the key algorithm. |
|
2046 |
.IP |
|
2047 |
.nf |
|
2048 |
\f[CB] |
|
2049 |
keytool\ \-genkeypair\ \-keystore\ root.jks\ \-alias\ root\ \-ext\ bc:c |
|
2050 |
keytool\ \-genkeypair\ \-keystore\ ca.jks\ \-alias\ ca\ \-ext\ bc:c |
|
2051 |
keytool\ \-genkeypair\ \-keystore\ server.jks\ \-alias\ server |
|
12047 | 2052 |
|
55140 | 2053 |
keytool\ \-keystore\ root.jks\ \-alias\ root\ \-exportcert\ \-rfc\ >\ root.pem |
12047 | 2054 |
|
55140 | 2055 |
keytool\ \-storepass\ password\ \-keystore\ ca.jks\ \-certreq\ \-alias\ ca\ | |
2056 |
\ \ \ \ keytool\ \-storepass\ password\ \-keystore\ root.jks |
|
2057 |
\ \ \ \ \-gencert\ \-alias\ root\ \-ext\ BC=0\ \-rfc\ >\ ca.pem |
|
2058 |
keytool\ \-keystore\ ca.jks\ \-importcert\ \-alias\ ca\ \-file\ ca.pem |
|
12047 | 2059 |
|
55140 | 2060 |
keytool\ \-storepass\ password\ \-keystore\ server.jks\ \-certreq\ \-alias\ server\ | |
2061 |
\ \ \ \ keytool\ \-storepass\ password\ \-keystore\ ca.jks\ \-gencert\ \-alias\ ca |
|
2062 |
\ \ \ \ \-ext\ ku:c=dig,kE\ \-rfc\ >\ server.pem |
|
2063 |
cat\ root.pem\ ca.pem\ server.pem\ | |
|
2064 |
\ \ \ \ keytool\ \-keystore\ server.jks\ \-importcert\ \-alias\ server |
|
2065 |
\f[R] |
|
2066 |
.fi |
|
2067 |
.SH TERMS |
|
2068 |
.TP |
|
2069 |
.B Keystore |
|
2070 |
A keystore is a storage facility for cryptographic keys and |
|
2071 |
certificates. |
|
2072 |
.RS |
|
2073 |
.RE |
|
2074 |
.TP |
|
2075 |
.B Keystore entries |
|
2076 |
Keystores can have different types of entries. |
|
2077 |
The two most applicable entry types for the \f[CB]keytool\f[R] command |
|
2078 |
include the following: |
|
2079 |
.RS |
|
2080 |
.PP |
|
2081 |
Key entries: Each entry holds very sensitive cryptographic key |
|
2082 |
information, which is stored in a protected format to prevent |
|
2083 |
unauthorized access. |
|
2084 |
Typically, a key stored in this type of entry is a secret key, or a |
|
2085 |
private key accompanied by the certificate chain for the corresponding |
|
2086 |
public key. |
|
2087 |
See \f[B]Certificate Chains\f[R]. |
|
2088 |
The \f[CB]keytool\f[R] command can handle both types of entries, while the |
|
2089 |
\f[CB]jarsigner\f[R] tool only handles the latter type of entry, that is |
|
2090 |
private keys and their associated certificate chains. |
|
2091 |
.PP |
|
2092 |
Trusted certificate entries: Each entry contains a single public key |
|
2093 |
certificate that belongs to another party. |
|
2094 |
The entry is called a trusted certificate because the keystore owner |
|
2095 |
trusts that the public key in the certificate belongs to the identity |
|
2096 |
identified by the subject (owner) of the certificate. |
|
2097 |
The issuer of the certificate vouches for this, by signing the |
|
2098 |
certificate. |
|
2099 |
.RE |
|
2100 |
.TP |
|
2101 |
.B Keystore aliases |
|
2102 |
All keystore entries (key and trusted certificate entries) are accessed |
|
2103 |
by way of unique aliases. |
|
2104 |
.RS |
|
2105 |
.PP |
|
2106 |
An alias is specified when you add an entity to the keystore with the |
|
2107 |
\f[CB]\-genseckey\f[R] command to generate a secret key, the |
|
2108 |
\f[CB]\-genkeypair\f[R] command to generate a key pair (public and private |
|
2109 |
key), or the \f[CB]\-importcert\f[R] command to add a certificate or |
|
2110 |
certificate chain to the list of trusted certificates. |
|
2111 |
Subsequent \f[CB]keytool\f[R] commands must use this same alias to refer |
|
2112 |
to the entity. |
|
2113 |
.PP |
|
2114 |
For example, you can use the alias \f[CB]duke\f[R] to generate a new |
|
2115 |
public/private key pair and wrap the public key into a self\-signed |
|
2116 |
certificate with the following command. |
|
2117 |
See \f[B]Certificate Chains\f[R]. |
|
2118 |
.RS |
|
2119 |
.PP |
|
2120 |
\f[CB]keytool\ \-genkeypair\ \-alias\ duke\ \-keypass\f[R] \f[I]passwd\f[R] |
|
2121 |
.RE |
|
2122 |
.PP |
|
2123 |
This example specifies an initial \f[I]passwd\f[R] required by subsequent |
|
2124 |
commands to access the private key associated with the alias |
|
2125 |
\f[CB]duke\f[R]. |
|
2126 |
If you later want to change Duke\[aq]s private key password, use a |
|
2127 |
command such as the following: |
|
2128 |
.RS |
|
2129 |
.PP |
|
2130 |
\f[CB]keytool\ \-keypasswd\ \-alias\ duke\ \-keypass\f[R] \f[I]passwd\f[R] |
|
2131 |
\f[CB]\-new\f[R] \f[I]newpasswd\f[R] |
|
2132 |
.RE |
|
2133 |
.PP |
|
2134 |
This changes the initial \f[I]passwd\f[R] to \f[I]newpasswd\f[R]. |
|
2135 |
A password shouldn\[aq]t be specified on a command line or in a script |
|
2136 |
unless it is for testing purposes, or you are on a secure system. |
|
2137 |
If you don\[aq]t specify a required password option on a command line, |
|
2138 |
then you are prompted for it. |
|
2139 |
.RE |
|
2140 |
.TP |
|
2141 |
.B Keystore implementation |
|
2142 |
The \f[CB]KeyStore\f[R] class provided in the \f[CB]java.security\f[R] |
|
2143 |
package supplies well\-defined interfaces to access and modify the |
|
2144 |
information in a keystore. |
|
2145 |
It is possible for there to be multiple different concrete |
|
2146 |
implementations, where each implementation is that for a particular type |
|
2147 |
of keystore. |
|
2148 |
.RS |
|
2149 |
.PP |
|
2150 |
Currently, two command\-line tools (\f[CB]keytool\f[R] and |
|
2151 |
\f[CB]jarsigner\f[R]) make use of keystore implementations. |
|
2152 |
Because the \f[CB]KeyStore\f[R] class is \f[CB]public\f[R], users can write |
|
2153 |
additional security applications that use it. |
|
2154 |
.PP |
|
2155 |
In JDK 9 and later, the default keystore implementation is |
|
2156 |
\f[CB]PKCS12\f[R]. |
|
2157 |
This is a cross platform keystore based on the RSA PKCS12 Personal |
|
2158 |
Information Exchange Syntax Standard. |
|
2159 |
This standard is primarily meant for storing or transporting a |
|
2160 |
user\[aq]s private keys, certificates, and miscellaneous secrets. |
|
2161 |
There is another built\-in implementation, provided by Oracle. |
|
2162 |
It implements the keystore as a file with a proprietary keystore type |
|
2163 |
(format) named \f[CB]JKS\f[R]. |
|
2164 |
It protects each private key with its individual password, and also |
|
2165 |
protects the integrity of the entire keystore with a (possibly |
|
2166 |
different) password. |
|
2167 |
.PP |
|
2168 |
Keystore implementations are provider\-based. |
|
2169 |
More specifically, the application interfaces supplied by |
|
2170 |
\f[CB]KeyStore\f[R] are implemented in terms of a Service Provider |
|
2171 |
Interface (SPI). |
|
2172 |
That is, there is a corresponding abstract \f[CB]KeystoreSpi\f[R] class, |
|
2173 |
also in the \f[CB]java.security\ package\f[R], which defines the Service |
|
2174 |
Provider Interface methods that providers must implement. |
|
2175 |
The term \f[I]provider\f[R] refers to a package or a set of packages that |
|
2176 |
supply a concrete implementation of a subset of services that can be |
|
2177 |
accessed by the Java Security API. |
|
2178 |
To provide a keystore implementation, clients must implement a provider |
|
2179 |
and supply a \f[CB]KeystoreSpi\f[R] subclass implementation, as described |
|
2180 |
in Steps to Implement and Integrate a Provider. |
|
2181 |
.PP |
|
2182 |
Applications can choose different types of keystore implementations from |
|
2183 |
different providers, using the \f[CB]getInstance\f[R] factory method |
|
2184 |
supplied in the \f[CB]KeyStore\f[R] class. |
|
2185 |
A keystore type defines the storage and data format of the keystore |
|
2186 |
information, and the algorithms used to protect private/secret keys in |
|
2187 |
the keystore and the integrity of the keystore. |
|
2188 |
Keystore implementations of different types aren\[aq]t compatible. |
|
2189 |
.PP |
|
2190 |
The \f[CB]keytool\f[R] command works on any file\-based keystore |
|
2191 |
implementation. |
|
2192 |
It treats the keystore location that is passed to it at the command line |
|
2193 |
as a file name and converts it to a \f[CB]FileInputStream\f[R], from which |
|
2194 |
it loads the keystore information.)The \f[CB]jarsigner\f[R] commands can |
|
2195 |
read a keystore from any location that can be specified with a URL. |
|
2196 |
.PP |
|
2197 |
For \f[CB]keytool\f[R] and \f[CB]jarsigner\f[R], you can specify a keystore |
|
2198 |
type at the command line, with the \f[CB]\-storetype\f[R] option. |
|
2199 |
.PP |
|
2200 |
If you don\[aq]t explicitly specify a keystore type, then the tools |
|
2201 |
choose a keystore implementation based on the value of the |
|
2202 |
\f[CB]keystore.type\f[R] property specified in the security properties |
|
2203 |
file. |
|
2204 |
The security properties file is called \f[CB]java.security\f[R], and |
|
2205 |
resides in the security properties directory: |
|
2206 |
.IP \[bu] 2 |
|
2207 |
\f[B]Oracle Solaris, Linux, and OS X:\f[R] |
|
2208 |
\f[CB]java.home/lib/security\f[R] |
|
2209 |
.IP \[bu] 2 |
|
2210 |
\f[B]Windows:\f[R] \f[CB]java.home\\lib\\security\f[R] |
|
2211 |
.PP |
|
2212 |
Each tool gets the \f[CB]keystore.type\f[R] value and then examines all |
|
2213 |
the currently installed providers until it finds one that implements a |
|
2214 |
keystores of that type. |
|
2215 |
It then uses the keystore implementation from that provider.The |
|
2216 |
\f[CB]KeyStore\f[R] class defines a static method named |
|
2217 |
\f[CB]getDefaultType\f[R] that lets applications retrieve the value of the |
|
2218 |
\f[CB]keystore.type\f[R] property. |
|
2219 |
The following line of code creates an instance of the default keystore |
|
2220 |
type as specified in the \f[CB]keystore.type\f[R] property: |
|
2221 |
.RS |
|
2222 |
.PP |
|
2223 |
\f[CB]KeyStore\ keyStore\ =\ KeyStore.getInstance(KeyStore.getDefaultType());\f[R] |
|
2224 |
.RE |
|
2225 |
.PP |
|
2226 |
The default keystore type is \f[CB]pkcs12\f[R], which is a cross\-platform |
|
2227 |
keystore based on the RSA PKCS12 Personal Information Exchange Syntax |
|
2228 |
Standard. |
|
2229 |
This is specified by the following line in the security properties file: |
|
2230 |
.RS |
|
2231 |
.PP |
|
2232 |
\f[CB]keystore.type=pkcs12\f[R] |
|
2233 |
.RE |
|
2234 |
.PP |
|
2235 |
To have the tools utilize a keystore implementation other than the |
|
2236 |
default, you can change that line to specify a different keystore type. |
|
2237 |
For example, if you want to use the Oracle\[aq]s \f[CB]jks\f[R] keystore |
|
2238 |
implementation, then change the line to the following: |
|
2239 |
.RS |
|
2240 |
.PP |
|
2241 |
\f[CB]keystore.type=jks\f[R] |
|
2242 |
.RE |
|
2243 |
.PP |
|
2244 |
\f[B]Note:\f[R] |
|
2245 |
.PP |
|
2246 |
Case doesn\[aq]t matter in keystore type designations. |
|
2247 |
For example, \f[CB]JKS\f[R] would be considered the same as \f[CB]jks\f[R]. |
|
2248 |
.RE |
|
2249 |
.TP |
|
2250 |
.B Certificate |
|
2251 |
A certificate (or public\-key certificate) is a digitally signed |
|
2252 |
statement from one entity (the issuer), saying that the public key and |
|
2253 |
some other information of another entity (the subject) has some specific |
|
2254 |
value. |
|
2255 |
The following terms are related to certificates: |
|
2256 |
.RS |
|
2257 |
.IP \[bu] 2 |
|
2258 |
Public Keys: These are numbers associated with a particular entity, and |
|
2259 |
are intended to be known to everyone who needs to have trusted |
|
2260 |
interactions with that entity. |
|
2261 |
Public keys are used to verify signatures. |
|
2262 |
.IP \[bu] 2 |
|
2263 |
Digitally Signed: If some data is digitally signed, then it is stored |
|
2264 |
with the identity of an entity and a signature that proves that entity |
|
2265 |
knows about the data. |
|
2266 |
The data is rendered unforgeable by signing with the entity\[aq]s |
|
2267 |
private key. |
|
2268 |
.IP \[bu] 2 |
|
2269 |
Identity: A known way of addressing an entity. |
|
2270 |
In some systems, the identity is the public key, and in others it can be |
|
2271 |
anything from an Oracle Solaris UID to an email address to an X.509 |
|
2272 |
distinguished name. |
|
2273 |
.IP \[bu] 2 |
|
2274 |
Signature: A signature is computed over some data using the private key |
|
2275 |
of an entity. |
|
2276 |
The signer, which in the case of a certificate is also known as the |
|
2277 |
issuer. |
|
2278 |
.IP \[bu] 2 |
|
2279 |
Private Keys: These are numbers, each of which is supposed to be known |
|
2280 |
only to the particular entity whose private key it is (that is, it is |
|
2281 |
supposed to be kept secret). |
|
2282 |
Private and public keys exist in pairs in all public key cryptography |
|
2283 |
systems (also referred to as public key crypto systems). |
|
2284 |
In a typical public key crypto system, such as DSA, a private key |
|
2285 |
corresponds to exactly one public key. |
|
2286 |
Private keys are used to compute signatures. |
|
2287 |
.IP \[bu] 2 |
|
2288 |
Entity: An entity is a person, organization, program, computer, |
|
2289 |
business, bank, or something else you are trusting to some degree. |
|
2290 |
.PP |
|
2291 |
Public key cryptography requires access to users\[aq] public keys. |
|
2292 |
In a large\-scale networked environment, it is impossible to guarantee |
|
2293 |
that prior relationships between communicating entities were established |
|
2294 |
or that a trusted repository exists with all used public keys. |
|
2295 |
Certificates were invented as a solution to this public key distribution |
|
2296 |
problem. |
|
2297 |
Now a Certification Authority (CA) can act as a trusted third party. |
|
2298 |
CAs are entities such as businesses that are trusted to sign (issue) |
|
2299 |
certificates for other entities. |
|
2300 |
It is assumed that CAs only create valid and reliable certificates |
|
2301 |
because they are bound by legal agreements. |
|
2302 |
There are many public Certification Authorities, such as DigiCert, |
|
2303 |
Comodo, Entrust, and so on. |
|
2304 |
.PP |
|
2305 |
You can also run your own Certification Authority using products such as |
|
2306 |
Microsoft Certificate Server or the Entrust CA product for your |
|
2307 |
organization. |
|
2308 |
With the \f[CB]keytool\f[R] command, it is possible to display, import, |
|
2309 |
and export certificates. |
|
2310 |
It is also possible to generate self\-signed certificates. |
|
2311 |
.PP |
|
2312 |
The \f[CB]keytool\f[R] command currently handles X.509 certificates. |
|
2313 |
.RE |
|
2314 |
.TP |
|
2315 |
.B X.509 Certificates |
|
2316 |
The X.509 standard defines what information can go into a certificate |
|
2317 |
and describes how to write it down (the data format). |
|
2318 |
All the data in a certificate is encoded with two related standards |
|
2319 |
called ASN.1/DER. |
|
2320 |
Abstract Syntax Notation 1 describes data. |
|
2321 |
The Definite Encoding Rules describe a single way to store and transfer |
|
2322 |
that data. |
|
2323 |
.RS |
|
2324 |
.PP |
|
2325 |
All X.509 certificates have the following data, in addition to the |
|
2326 |
signature: |
|
2327 |
.IP \[bu] 2 |
|
2328 |
Version: This identifies which version of the X.509 standard applies to |
|
2329 |
this certificate, which affects what information can be specified in it. |
|
2330 |
Thus far, three versions are defined. |
|
2331 |
The \f[CB]keytool\f[R] command can import and export v1, v2, and v3 |
|
2332 |
certificates. |
|
2333 |
It generates v3 certificates. |
|
2334 |
.RS 2 |
|
2335 |
.IP \[bu] 2 |
|
2336 |
X.509 Version 1 has been available since 1988, is widely deployed, and |
|
2337 |
is the most generic. |
|
2338 |
.IP \[bu] 2 |
|
2339 |
X.509 Version 2 introduced the concept of subject and issuer unique |
|
2340 |
identifiers to handle the possibility of reuse of subject or issuer |
|
2341 |
names over time. |
|
2342 |
Most certificate profile documents strongly recommend that names not be |
|
2343 |
reused and that certificates shouldn\[aq]t make use of unique |
|
2344 |
identifiers. |
|
2345 |
Version 2 certificates aren\[aq]t widely used. |
|
2346 |
.IP \[bu] 2 |
|
2347 |
X.509 Version 3 is the most recent (1996) and supports the notion of |
|
2348 |
extensions where anyone can define an extension and include it in the |
|
2349 |
certificate. |
|
2350 |
Some common extensions are: KeyUsage (limits the use of the keys to |
|
2351 |
particular purposes such as \f[CB]signing\-only\f[R]) and AlternativeNames |
|
2352 |
(allows other identities to also be associated with this public key, for |
|
2353 |
example. |
|
2354 |
DNS names, email addresses, IP addresses). |
|
2355 |
Extensions can be marked critical to indicate that the extension should |
|
2356 |
be checked and enforced or used. |
|
2357 |
For example, if a certificate has the KeyUsage extension marked critical |
|
2358 |
and set to \f[CB]keyCertSign\f[R], then when this certificate is presented |
|
2359 |
during SSL communication, it should be rejected because the certificate |
|
2360 |
extension indicates that the associated private key should only be used |
|
2361 |
for signing certificates and not for SSL use. |
|
2362 |
.RE |
|
2363 |
.IP \[bu] 2 |
|
2364 |
Serial number: The entity that created the certificate is responsible |
|
2365 |
for assigning it a serial number to distinguish it from other |
|
2366 |
certificates it issues. |
|
2367 |
This information is used in numerous ways. |
|
2368 |
For example, when a certificate is revoked its serial number is placed |
|
2369 |
in a Certificate Revocation List (CRL). |
|
2370 |
.IP \[bu] 2 |
|
2371 |
Signature algorithm identifier: This identifies the algorithm used by |
|
2372 |
the CA to sign the certificate. |
|
2373 |
.IP \[bu] 2 |
|
2374 |
Issuer name: The X.500 Distinguished Name of the entity that signed the |
|
2375 |
certificate. |
|
2376 |
This is typically a CA. |
|
2377 |
Using this certificate implies trusting the entity that signed this |
|
2378 |
certificate. |
|
2379 |
In some cases, such as root or top\-level CA certificates, the issuer |
|
2380 |
signs its own certificate. |
|
2381 |
.IP \[bu] 2 |
|
2382 |
Validity period: Each certificate is valid only for a limited amount of |
|
2383 |
time. |
|
2384 |
This period is described by a start date and time and an end date and |
|
2385 |
time, and can be as short as a few seconds or almost as long as a |
|
2386 |
century. |
|
2387 |
The validity period chosen depends on a number of factors, such as the |
|
2388 |
strength of the private key used to sign the certificate, or the amount |
|
2389 |
one is willing to pay for a certificate. |
|
2390 |
This is the expected period that entities can rely on the public value, |
|
2391 |
when the associated private key has not been compromised. |
|
2392 |
.IP \[bu] 2 |
|
2393 |
Subject name: The name of the entity whose public key the certificate |
|
2394 |
identifies. |
|
2395 |
This name uses the X.500 standard, so it is intended to be unique across |
|
2396 |
the Internet. |
|
2397 |
This is the X.500 Distinguished Name (DN) of the entity. |
|
2398 |
For example, |
|
2399 |
.RS 2 |
|
2400 |
.RS |
|
2401 |
.PP |
|
2402 |
\f[CB]CN=Java\ Duke,\ OU=Java\ Software\ Division,\ O=Oracle\ Corporation,\ C=US\f[R] |
|
2403 |
.RE |
|
2404 |
.PP |
|
2405 |
These refer to the subject\[aq]s common name (CN), organizational unit |
|
2406 |
(OU), organization (O), and country (C). |
|
2407 |
.RE |
|
2408 |
.IP \[bu] 2 |
|
2409 |
Subject public key information: This is the public key of the entity |
|
2410 |
being named with an algorithm identifier that specifies which public key |
|
2411 |
crypto system this key belongs to and any associated key parameters. |
|
2412 |
.RE |
|
2413 |
.TP |
|
2414 |
.B Certificate Chains |
|
2415 |
The \f[CB]keytool\f[R] command can create and manage keystore key entries |
|
2416 |
that each contain a private key and an associated certificate chain. |
|
2417 |
The first certificate in the chain contains the public key that |
|
2418 |
corresponds to the private key. |
|
2419 |
.RS |
|
2420 |
.PP |
|
2421 |
When keys are first generated, the chain starts off containing a single |
|
2422 |
element, a self\-signed certificate. |
|
2423 |
See \-genkeypair in \f[B]Commands\f[R]. |
|
2424 |
A self\-signed certificate is one for which the issuer (signer) is the |
|
2425 |
same as the subject. |
|
2426 |
The subject is the entity whose public key is being authenticated by the |
|
2427 |
certificate. |
|
2428 |
Whenever the \f[CB]\-genkeypair\f[R] command is called to generate a new |
|
2429 |
public/private key pair, it also wraps the public key into a |
|
2430 |
self\-signed certificate. |
|
2431 |
.PP |
|
2432 |
Later, after a Certificate Signing Request (CSR) was generated with the |
|
2433 |
\f[CB]\-certreq\f[R] command and sent to a Certification Authority (CA), |
|
2434 |
the response from the CA is imported with \f[CB]\-importcert\f[R], and the |
|
2435 |
self\-signed certificate is replaced by a chain of certificates. |
|
2436 |
At the bottom of the chain is the certificate (reply) issued by the CA |
|
2437 |
authenticating the subject\[aq]s public key. |
|
2438 |
The next certificate in the chain is one that authenticates the CA\[aq]s |
|
2439 |
public key. |
|
2440 |
.PP |
|
2441 |
In many cases, this is a self\-signed certificate, which is a |
|
2442 |
certificate from the CA authenticating its own public key, and the last |
|
2443 |
certificate in the chain. |
|
2444 |
In other cases, the CA might return a chain of certificates. |
|
2445 |
In this case, the bottom certificate in the chain is the same (a |
|
2446 |
certificate signed by the CA, authenticating the public key of the key |
|
2447 |
entry), but the second certificate in the chain is a certificate signed |
|
2448 |
by a different CA that authenticates the public key of the CA you sent |
|
2449 |
the CSR to. |
|
2450 |
The next certificate in the chain is a certificate that authenticates |
|
2451 |
the second CA\[aq]s key, and so on, until a self\-signed root |
|
2452 |
certificate is reached. |
|
2453 |
Each certificate in the chain (after the first) authenticates the public |
|
2454 |
key of the signer of the previous certificate in the chain. |
|
2455 |
.PP |
|
2456 |
Many CAs only return the issued certificate, with no supporting chain, |
|
2457 |
especially when there is a flat hierarchy (no intermediates CAs). |
|
2458 |
In this case, the certificate chain must be established from trusted |
|
2459 |
certificate information already stored in the keystore. |
|
2460 |
.PP |
|
2461 |
A different reply format (defined by the PKCS #7 standard) includes the |
|
2462 |
supporting certificate chain in addition to the issued certificate. |
|
2463 |
Both reply formats can be handled by the \f[CB]keytool\f[R] command. |
|
2464 |
.PP |
|
2465 |
The top\-level (root) CA certificate is self\-signed. |
|
2466 |
However, the trust into the root\[aq]s public key doesn\[aq]t come from |
|
2467 |
the root certificate itself, but from other sources such as a newspaper. |
|
2468 |
This is because anybody could generate a self\-signed certificate with |
|
2469 |
the distinguished name of, for example, the DigiCert root CA. |
|
2470 |
The root CA public key is widely known. |
|
2471 |
The only reason it is stored in a certificate is because this is the |
|
2472 |
format understood by most tools, so the certificate in this case is only |
|
2473 |
used as a vehicle to transport the root CA\[aq]s public key. |
|
2474 |
Before you add the root CA certificate to your keystore, you should view |
|
2475 |
it with the \f[CB]\-printcert\f[R] option and compare the displayed |
|
2476 |
fingerprint with the well\-known fingerprint obtained from a newspaper, |
|
2477 |
the root CA\[aq]s Web page, and so on. |
|
2478 |
.RE |
|
2479 |
.TP |
|
2480 |
.B cacerts Certificates File |
|
2481 |
A certificates file named \f[CB]cacerts\f[R] resides in the security |
|
2482 |
properties directory: |
|
2483 |
.RS |
|
2484 |
.IP \[bu] 2 |
|
2485 |
\f[B]Oracle Solaris, Linux, and OS X:\f[R] |
|
2486 |
\f[I]JAVA_HOME\f[R]\f[CB]/lib/security\f[R] |
|
2487 |
.IP \[bu] 2 |
|
2488 |
\f[B]Windows:\f[R] \f[I]JAVA_HOME\f[R]\f[CB]\\lib\\security\f[R] |
|
2489 |
.PP |
|
2490 |
\f[I]JAVA_HOME\f[R] is the runtime environment directory, which is the |
|
2491 |
\f[CB]jre\f[R] directory in the JDK or the top\-level directory of the |
|
2492 |
Java Runtime Environment (JRE). |
|
2493 |
.PP |
|
2494 |
The \f[CB]cacerts\f[R] file represents a system\-wide keystore with CA |
|
2495 |
certificates. |
|
2496 |
System administrators can configure and manage that file with the |
|
2497 |
\f[CB]keytool\f[R] command by specifying \f[CB]jks\f[R] as the keystore |
|
2498 |
type. |
|
2499 |
The \f[CB]cacerts\f[R] keystore file ships with a default set of root CA |
|
2500 |
certificates. |
|
2501 |
For Oracle Solaris, Linux, OS X, and Windows, you can list the default |
|
2502 |
certificates with the following command: |
|
2503 |
.RS |
|
2504 |
.PP |
|
2505 |
\f[CB]keytool\ \-list\ \-cacerts\f[R] |
|
2506 |
.RE |
|
2507 |
.PP |
|
2508 |
The initial password of the \f[CB]cacerts\f[R] keystore file is |
|
2509 |
\f[CB]changeit\f[R]. |
|
2510 |
System administrators should change that password and the default access |
|
2511 |
permission of that file upon installing the SDK. |
|
2512 |
.PP |
|
2513 |
\f[B]Note:\f[R] |
|
2514 |
.PP |
|
2515 |
It is important to verify your \f[CB]cacerts\f[R] file. |
|
2516 |
Because you trust the CAs in the \f[CB]cacerts\f[R] file as entities for |
|
2517 |
signing and issuing certificates to other entities, you must manage the |
|
2518 |
\f[CB]cacerts\f[R] file carefully. |
|
2519 |
The \f[CB]cacerts\f[R] file should contain only certificates of the CAs |
|
2520 |
you trust. |
|
2521 |
It is your responsibility to verify the trusted root CA certificates |
|
2522 |
bundled in the \f[CB]cacerts\f[R] file and make your own trust decisions. |
|
2523 |
.PP |
|
2524 |
To remove an untrusted CA certificate from the \f[CB]cacerts\f[R] file, |
|
2525 |
use the \f[CB]\-delete\f[R] option of the \f[CB]keytool\f[R] command. |
|
2526 |
You can find the \f[CB]cacerts\f[R] file in the JRE installation |
|
2527 |
directory. |
|
2528 |
Contact your system administrator if you don\[aq]t have permission to |
|
2529 |
edit this file |
|
2530 |
.RE |
|
2531 |
.TP |
|
2532 |
.B Internet RFC 1421 Certificate Encoding Standard |
|
2533 |
Certificates are often stored using the printable encoding format |
|
2534 |
defined by the Internet RFC 1421 standard, instead of their binary |
|
2535 |
encoding. |
|
2536 |
This certificate format, also known as Base64 encoding, makes it easy to |
|
2537 |
export certificates to other applications by email or through some other |
|
2538 |
mechanism. |
|
2539 |
.RS |
|
2540 |
.PP |
|
2541 |
Certificates read by the \f[CB]\-importcert\f[R] and \f[CB]\-printcert\f[R] |
|
2542 |
commands can be in either this format or binary encoded. |
|
2543 |
The \f[CB]\-exportcert\f[R] command by default outputs a certificate in |
|
2544 |
binary encoding, but will instead output a certificate in the printable |
|
2545 |
encoding format, when the \f[CB]\-rfc\f[R] option is specified. |
|
2546 |
.PP |
|
2547 |
The \f[CB]\-list\f[R] command by default prints the SHA\-256 fingerprint |
|
2548 |
of a certificate. |
|
2549 |
If the \f[CB]\-v\f[R] option is specified, then the certificate is printed |
|
2550 |
in human\-readable format. |
|
2551 |
If the \f[CB]\-rfc\f[R] option is specified, then the certificate is |
|
2552 |
output in the printable encoding format. |
|
2553 |
.PP |
|
2554 |
In its printable encoding format, the encoded certificate is bounded at |
|
2555 |
the beginning and end by the following text: |
|
2556 |
.IP |
|
2557 |
.nf |
|
2558 |
\f[CB] |
|
2559 |
\-\-\-\-\-BEGIN\ CERTIFICATE\-\-\-\-\- |
|
21743 | 2560 |
|
55140 | 2561 |
encoded\ certificate\ goes\ here. |
21743 | 2562 |
|
55140 | 2563 |
\-\-\-\-\-END\ CERTIFICATE\-\-\-\-\- |
2564 |
\f[R] |
|
2565 |
.fi |
|
2566 |
.RE |
|
2567 |
.TP |
|
2568 |
.B X.500 Distinguished Names |
|
2569 |
X.500 Distinguished Names are used to identify entities, such as those |
|
2570 |
that are named by the \f[CB]subject\f[R] and \f[CB]issuer\f[R] (signer) |
|
2571 |
fields of X.509 certificates. |
|
2572 |
The \f[CB]keytool\f[R] command supports the following subparts: |
|
2573 |
.RS |
|
2574 |
.IP \[bu] 2 |
|
2575 |
commonName: The common name of a person such as Susan Jones. |
|
2576 |
.IP \[bu] 2 |
|
2577 |
organizationUnit: The small organization (such as department or |
|
2578 |
division) name. |
|
2579 |
For example, Purchasing. |
|
2580 |
.IP \[bu] 2 |
|
2581 |
localityName: The locality (city) name, for example, Palo Alto. |
|
2582 |
.IP \[bu] 2 |
|
2583 |
stateName: State or province name, for example, California. |
|
2584 |
.IP \[bu] 2 |
|
2585 |
country: Two\-letter country code, for example, CH. |
|
2586 |
.PP |
|
2587 |
When you supply a distinguished name string as the value of a |
|
2588 |
\f[CB]\-dname\f[R] option, such as for the \f[CB]\-genkeypair\f[R] command, |
|
2589 |
the string must be in the following format: |
|
2590 |
.RS |
|
2591 |
.PP |
|
2592 |
\f[CB]CN=cName,\ OU=orgUnit,\ O=org,\ L=city,\ S=state,\ C=countryCode\f[R] |
|
2593 |
.RE |
|
2594 |
.PP |
|
2595 |
All the following items represent actual values and the previous |
|
2596 |
keywords are abbreviations for the following: |
|
2597 |
.IP |
|
2598 |
.nf |
|
2599 |
\f[CB] |
|
2600 |
CN=commonName |
|
2601 |
OU=organizationUnit |
|
2602 |
O=organizationName |
|
2603 |
L=localityName |
|
2604 |
S=stateName |
|
2605 |
C=country |
|
2606 |
\f[R] |
|
2607 |
.fi |
|
2608 |
.PP |
|
21743 | 2609 |
A sample distinguished name string is: |
55140 | 2610 |
.RS |
2611 |
.PP |
|
2612 |
\f[CB]CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US\f[R] |
|
2613 |
.RE |
|
2614 |
.PP |
|
21743 | 2615 |
A sample command using such a string is: |
55140 | 2616 |
.RS |
2617 |
.PP |
|
2618 |
\f[CB]keytool\ \-genkeypair\ \-dname\ "CN=Mark\ Smith,\ OU=Java,\ O=Oracle,\ L=Cupertino,\ S=California,\ C=US"\ \-alias\ mark\f[R] |
|
2619 |
.RE |
|
2620 |
.PP |
|
2621 |
Case doesn\[aq]t matter for the keyword abbreviations. |
|
2622 |
For example, CN, cn, and Cn are all treated the same. |
|
2623 |
.PP |
|
2624 |
Order matters; each subcomponent must appear in the designated order. |
|
2625 |
However, it isn\[aq]t necessary to have all the subcomponents. |
|
2626 |
You can use a subset, for example: |
|
2627 |
.RS |
|
2628 |
.PP |
|
2629 |
\f[CB]CN=Smith,\ OU=Java,\ O=Oracle,\ C=US\f[R] |
|
2630 |
.RE |
|
2631 |
.PP |
|
2632 |
If a distinguished name string value contains a comma, then the comma |
|
2633 |
must be escaped by a backslash (\\) character when you specify the |
|
2634 |
string on a command line, as in: |
|
2635 |
.RS |
|
2636 |
.PP |
|
2637 |
\f[CB]cn=Jack,\ ou=Java\\,\ Product\ Development,\ o=Oracle,\ c=US\f[R] |
|
2638 |
.RE |
|
2639 |
.PP |
|
2640 |
It is never necessary to specify a distinguished name string on a |
|
2641 |
command line. |
|
2642 |
When the distinguished name is needed for a command, but not supplied on |
|
2643 |
the command line, the user is prompted for each of the subcomponents. |
|
2644 |
In this case, a comma doesn\[aq]t need to be escaped by a backslash |
|
2645 |
(\\). |
|
2646 |
.RE |
|
2647 |
.SH WARNINGS |
|
2648 |
.SH IMPORTING TRUSTED CERTIFICATES WARNING |
|
2649 |
.PP |
|
2650 |
\f[B]Important\f[R]: Be sure to check a certificate very carefully before |
|
2651 |
importing it as a trusted certificate. |
|
2652 |
.PP |
|
2653 |
\f[B]Windows Example:\f[R] |
|
2654 |
.PP |
|
2655 |
View the certificate first with the \f[CB]\-printcert\f[R] command or the |
|
2656 |
\f[CB]\-importcert\f[R] command without the \f[CB]\-noprompt\f[R] option. |
|
2657 |
Ensure that the displayed certificate fingerprints match the expected |
|
2658 |
ones. |
|
2659 |
For example, suppose someone sends or emails you a certificate that you |
|
2660 |
put it in a file named \f[CB]\\tmp\\cert\f[R]. |
|
2661 |
Before you consider adding the certificate to your list of trusted |
|
2662 |
certificates, you can execute a \f[CB]\-printcert\f[R] command to view its |
|
2663 |
fingerprints, as follows: |
|
2664 |
.IP |
|
2665 |
.nf |
|
2666 |
\f[CB] |
|
2667 |
\ \ keytool\ \-printcert\ \-file\ \\tmp\\cert |
|
2668 |
\ \ \ \ Owner:\ CN=ll,\ OU=ll,\ O=ll,\ L=ll,\ S=ll,\ C=ll |
|
2669 |
\ \ \ \ Issuer:\ CN=ll,\ OU=ll,\ O=ll,\ L=ll,\ S=ll,\ C=ll |
|
2670 |
\ \ \ \ Serial\ Number:\ 59092b34 |
|
2671 |
\ \ \ \ Valid\ from:\ Thu\ Jun\ 24\ 18:01:13\ PDT\ 2016\ until:\ Wed\ Jun\ 23\ 17:01:13\ PST\ 2016 |
|
2672 |
\ \ \ \ Certificate\ Fingerprints: |
|
12047 | 2673 |
|
55140 | 2674 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ SHA\-1:\ 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE |
2675 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ SHA\-256:\ 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90: |
|
2676 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4 |
|
2677 |
\f[R] |
|
2678 |
.fi |
|
2679 |
.PP |
|
2680 |
\f[B]Oracle Solaris Example:\f[R] |
|
21743 | 2681 |
.PP |
55140 | 2682 |
View the certificate first with the \f[CB]\-printcert\f[R] command or the |
2683 |
\f[CB]\-importcert\f[R] command without the \f[CB]\-noprompt\f[R] option. |
|
2684 |
Ensure that the displayed certificate fingerprints match the expected |
|
2685 |
ones. |
|
2686 |
For example, suppose someone sends or emails you a certificate that you |
|
2687 |
put it in a file named \f[CB]/tmp/cert\f[R]. |
|
2688 |
Before you consider adding the certificate to your list of trusted |
|
2689 |
certificates, you can execute a \f[CB]\-printcert\f[R] command to view its |
|
2690 |
fingerprints, as follows: |
|
2691 |
.IP |
|
2692 |
.nf |
|
2693 |
\f[CB] |
|
2694 |
\ \ keytool\ \-printcert\ \-file\ /tmp/cert |
|
2695 |
\ \ \ \ Owner:\ CN=ll,\ OU=ll,\ O=ll,\ L=ll,\ S=ll,\ C=ll |
|
2696 |
\ \ \ \ Issuer:\ CN=ll,\ OU=ll,\ O=ll,\ L=ll,\ S=ll,\ C=ll |
|
2697 |
\ \ \ \ Serial\ Number:\ 59092b34 |
|
2698 |
\ \ \ \ Valid\ from:\ Thu\ Jun\ 24\ 18:01:13\ PDT\ 2016\ until:\ Wed\ Jun\ 23\ 17:01:13\ PST\ 2016 |
|
2699 |
\ \ \ \ Certificate\ Fingerprints: |
|
12047 | 2700 |
|
55140 | 2701 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ SHA\-1:\ 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE |
2702 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ SHA\-256:\ 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90: |
|
2703 |
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4 |
|
2704 |
\f[R] |
|
2705 |
.fi |
|
2706 |
.PP |
|
2707 |
Then call or otherwise contact the person who sent the certificate and |
|
2708 |
compare the fingerprints that you see with the ones that they show. |
|
2709 |
Only when the fingerprints are equal is it guaranteed that the |
|
2710 |
certificate wasn\[aq]t replaced in transit with somebody else\[aq]s |
|
2711 |
certificate such as an attacker\[aq]s certificate. |
|
2712 |
If such an attack took place, and you didn\[aq]t check the certificate |
|
2713 |
before you imported it, then you would be trusting anything the attacker |
|
2714 |
signed, for example, a JAR file with malicious class files inside. |
|
2715 |
.PP |
|
2716 |
\f[B]Note:\f[R] |
|
2717 |
.PP |
|
2718 |
It isn\[aq]t required that you execute a \f[CB]\-printcert\f[R] command |
|
2719 |
before importing a certificate. |
|
2720 |
This is because before you add a certificate to the list of trusted |
|
2721 |
certificates in the keystore, the \f[CB]\-importcert\f[R] command prints |
|
2722 |
out the certificate information and prompts you to verify it. |
|
2723 |
You can then stop the import operation. |
|
2724 |
However, you can do this only when you call the \f[CB]\-importcert\f[R] |
|
2725 |
command without the \f[CB]\-noprompt\f[R] option. |
|
2726 |
If the \f[CB]\-noprompt\f[R] option is specified, then there is no |
|
2727 |
interaction with the user. |
|
2728 |
.SH PASSWORDS WARNING |
|
2729 |
.PP |
|
2730 |
Most commands that operate on a keystore require the store password. |
|
2731 |
Some commands require a private/secret key password. |
|
2732 |
Passwords can be specified on the command line in the |
|
2733 |
\f[CB]\-storepass\f[R] and \f[CB]\-keypass\f[R] options. |
|
2734 |
However, a password shouldn\[aq]t be specified on a command line or in a |
|
2735 |
script unless it is for testing, or you are on a secure system. |
|
2736 |
When you don\[aq]t specify a required password option on a command line, |
|
2737 |
you are prompted for it. |
|
2738 |
.SH CERTIFICATE CONFORMANCE WARNING |
|
2739 |
.PP |
|
2740 |
\f[B]Internet X.509 Public Key Infrastructure Certificate and |
|
2741 |
Certificate Revocation List (CRL) Profile\f[R] |
|
2742 |
[https://tools.ietf.org/rfc/rfc5280.txt] defined a profile on conforming |
|
2743 |
X.509 certificates, which includes what values and value combinations |
|
2744 |
are valid for certificate fields and extensions. |
|
2745 |
.PP |
|
2746 |
The \f[CB]keytool\f[R] command doesn\[aq]t enforce all of these rules so |
|
2747 |
it can generate certificates that don\[aq]t conform to the standard, |
|
2748 |
such as self\-signed certificates that would be used for internal |
|
2749 |
testing purposes. |
|
2750 |
Certificates that don\[aq]t conform to the standard might be rejected by |
|
2751 |
JRE or other applications. |
|
2752 |
Users should ensure that they provide the correct options for |
|
2753 |
\f[CB]\-dname\f[R], \f[CB]\-ext\f[R], and so on. |
|
2754 |
.SH IMPORT A NEW TRUSTED CERTIFICATE |
|
2755 |
.PP |
|
2756 |
Before you add the certificate to the keystore, the \f[CB]keytool\f[R] |
|
2757 |
command verifies it by attempting to construct a chain of trust from |
|
2758 |
that certificate to a self\-signed certificate (belonging to a root CA), |
|
2759 |
using trusted certificates that are already available in the keystore. |
|
21743 | 2760 |
.PP |
55140 | 2761 |
If the \f[CB]\-trustcacerts\f[R] option was specified, then additional |
2762 |
certificates are considered for the chain of trust, namely the |
|
2763 |
certificates in a file named \f[CB]cacerts\f[R]. |
|
2764 |
.PP |
|
2765 |
If the \f[CB]keytool\f[R] command fails to establish a trust path from the |
|
2766 |
certificate to be imported up to a self\-signed certificate (either from |
|
2767 |
the keystore or the \f[CB]cacerts\f[R] file), then the certificate |
|
2768 |
information is printed, and the user is prompted to verify it by |
|
2769 |
comparing the displayed certificate fingerprints with the fingerprints |
|
2770 |
obtained from some other (trusted) source of information, which might be |
|
2771 |
the certificate owner. |
|
2772 |
Be very careful to ensure the certificate is valid before importing it |
|
2773 |
as a trusted certificate. |
|
2774 |
The user then has the option of stopping the import operation. |
|
2775 |
If the \f[CB]\-noprompt\f[R] option is specified, then there is no |
|
2776 |
interaction with the user. |
|
2777 |
.SH IMPORT A CERTIFICATE REPLY |
|
2778 |
.PP |
|
2779 |
When you import a certificate reply, the certificate reply is validated |
|
2780 |
with trusted certificates from the keystore, and optionally, the |
|
2781 |
certificates configured in the \f[CB]cacerts\f[R] keystore file when the |
|
2782 |
\f[CB]\-trustcacerts\f[R] option is specified. |
|
21743 | 2783 |
.PP |
55140 | 2784 |
The methods of determining whether the certificate reply is trusted are |
2785 |
as follows: |
|
2786 |
.IP \[bu] 2 |
|
2787 |
If the reply is a single X.509 certificate, then the \f[CB]keytool\f[R] |
|
2788 |
command attempts to establish a trust chain, starting at the certificate |
|
2789 |
reply and ending at a self\-signed certificate (belonging to a root CA). |
|
2790 |
The certificate reply and the hierarchy of certificates is used to |
|
2791 |
authenticate the certificate reply from the new certificate chain of |
|
2792 |
aliases. |
|
2793 |
If a trust chain can\[aq]t be established, then the certificate reply |
|
2794 |
isn\[aq]t imported. |
|
2795 |
In this case, the \f[CB]keytool\f[R] command doesn\[aq]t print the |
|
2796 |
certificate and prompt the user to verify it, because it is very |
|
2797 |
difficult for a user to determine the authenticity of the certificate |
|
2798 |
reply. |
|
2799 |
.IP \[bu] 2 |
|
2800 |
If the reply is a PKCS #7 formatted certificate chain or a sequence of |
|
2801 |
X.509 certificates, then the chain is ordered with the user certificate |
|
2802 |
first followed by zero or more CA certificates. |
|
2803 |
If the chain ends with a self\-signed root CA certificate and |
|
2804 |
the\f[CB]\-trustcacerts\f[R] option was specified, the \f[CB]keytool\f[R] |
|
2805 |
command attempts to match it with any of the trusted certificates in the |
|
2806 |
keystore or the \f[CB]cacerts\f[R] keystore file. |
|
2807 |
If the chain doesn\[aq]t end with a self\-signed root CA certificate and |
|
2808 |
the \f[CB]\-trustcacerts\f[R] option was specified, the \f[CB]keytool\f[R] |
|
2809 |
command tries to find one from the trusted certificates in the keystore |
|
2810 |
or the \f[CB]cacerts\f[R] keystore file and add it to the end of the |
|
2811 |
chain. |
|
2812 |
If the certificate isn\[aq]t found and the \f[CB]\-noprompt\f[R] option |
|
2813 |
isn\[aq]t specified, the information of the last certificate in the |
|
2814 |
chain is printed, and the user is prompted to verify it. |
|
21743 | 2815 |
.PP |
55140 | 2816 |
If the public key in the certificate reply matches the user\[aq]s public |
2817 |
key already stored with \f[CB]alias\f[R], then the old certificate chain |
|
2818 |
is replaced with the new certificate chain in the reply. |
|
2819 |
The old chain can only be replaced with a valid \f[CB]keypass\f[R], and so |
|
2820 |
the password used to protect the private key of the entry is supplied. |
|
2821 |
If no password is provided, and the private key password is different |
|
2822 |
from the keystore password, the user is prompted for it. |
|
21743 | 2823 |
.PP |
55140 | 2824 |
This command was named \f[CB]\-import\f[R] in earlier releases. |
2825 |
This old name is still supported in this release. |
|
2826 |
The new name, \f[CB]\-importcert\f[R], is preferred. |