--- a/jdk/src/solaris/doc/sun/man/man1/keytool.1 Fri Jul 09 19:18:32 2010 -0700
+++ b/jdk/src/solaris/doc/sun/man/man1/keytool.1 Wed Jul 14 15:42:06 2010 -0700
@@ -1,4 +1,4 @@
-." Copyright 2002-2006 Sun Microsystems, Inc. All Rights Reserved.
+." Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
." DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
."
." This code is free software; you can redistribute it and/or modify it
@@ -19,8 +19,7 @@
." or visit www.oracle.com if you need additional information or have any
." questions.
."
-.TH keytool 1 "04 May 2009"
-." Generated from HTML by html2man (author: Eric Armstrong)
+.TH keytool 1 "02 Jun 2010"
.LP
.SH "Name"
@@ -150,7 +149,9 @@
.fl
\-keysize
.fl
- 1024 (when using \fP\f3\-genkeypair\fP\f3)
+ 2048 (when using \fP\f3\-genkeypair\fP\f3 and \-keyalg is "RSA")
+.fl
+ 1024 (when using \fP\f3\-genkeypair\fP\f3 and \-keyalg is "DSA")
.fl
56 (when using \fP\f3\-genseckey\fP\f3 and \-keyalg is "DES")
.fl
@@ -186,7 +187,7 @@
.fi
.LP
-In generating a public/private key pair, the signature algorithm (\f2\-sigalg\fP option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the \f2\-sigalg\fP option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", \f2\-sigalg\fP defaults to "SHA1withRSA". Please consult the
+In generating a public/private key pair, the signature algorithm (\f2\-sigalg\fP option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the \f2\-sigalg\fP option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", \f2\-sigalg\fP defaults to "SHA256withRSA". Please consult the
.na
\f2Java Cryptography Architecture API Specification & Reference\fP @
.fi
@@ -477,7 +478,7 @@
.nr 41 \n(80+(3*\n(38)
.nr 81 +\n(41
.nr TW \n(81
-.if t .if \n(TW>\n(.li .tm Table at line 288 file Input is too wide - \n(TW units
+.if t .if \n(TW>\n(.li .tm Table at line 289 file Input is too wide - \n(TW units
.fc
.nr #T 0-1
.nr #a 0-1
@@ -664,6 +665,9 @@
.LP
The subjectKeyIdentifier extension is always created. For non self\-signed certificates, the authorityKeyIdentifier is always created.
.LP
+.LP
+\f3Note:\fP Users should be aware that some combinations of extensions (and other certificate fields) may not conform to the Internet standard. See Warning Regarding Certificate Conformance for details.
+.LP
.RE
.RE
.RE
@@ -679,12 +683,14 @@
.LP
.RS 3
.TP 3
-\-gencert {\-infile infile} {\-outfile outfile} {\-ext ext}* {\-rfc} {\-alias alias} {\-sigalg sigalg} {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] [\-keypass keypass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
+\-gencert {\-infile infile} {\-outfile outfile} {\-dname dname} {\-ext ext}* {\-rfc} {\-alias alias} {\-sigalg sigalg} {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] [\-keypass keypass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
.LP
Generates a certificate as a response to a certificate request file (which can be created by the \f2keytool \-certreq\fP command). The command reads the request from infile (if omitted, from the standard input), signs it using alias's private key, and output the X.509 certificate into outfile (if omitted, to the standard output). If \f2\-rfc\fP is specified, output format is BASE64\-encoded PEM; otherwise, a binary DER is created.
.LP
\f2sigalg\fP specifies the algorithm that should be used to sign the certificate. valDays tells the number of days for which the certificate should be considered valid.
.LP
+If \f2dname\fP is provided, it's used as the subject of the generated certificate. Otherwise, the one from the certificate request is used.
+.LP
\f2ext\fP shows what X.509 extensions will be embedded in the certificate. Read Common Options for the grammar of \f2\-ext\fP.
.TP 3
\-genkeypair {\-alias alias} {\-keyalg keyalg} {\-keysize keysize} {\-sigalg sigalg} [\-dname dname] [\-keypass keypass] {\-startdate value} {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
@@ -845,13 +851,13 @@
.LP
.RS 3
.TP 3
-\-certreq {\-alias alias} {\-sigalg sigalg} {\-file certreq_file} [\-keypass keypass] {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerName provider_name} {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
+\-certreq {\-alias alias} {\-dname dname} {\-sigalg sigalg} {\-file certreq_file} [\-keypass keypass] {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerName provider_name} {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
.LP
Generates a Certificate Signing Request (CSR), using the PKCS#10 format.
.LP
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off\-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self\-signed certificate) in the keystore.
.LP
-The private key and X.500 Distinguished Name associated with \f2alias\fP are used to create the PKCS#10 certificate request. In order to access the private key, the appropriate password must be provided, since private keys are protected in the keystore with a password. If \f2keypass\fP is not provided at the command line, and is different from the password used to protect the integrity of the keystore, the user is prompted for it.
+The private key associated with \f2alias\fP is used to create the PKCS#10 certificate request. In order to access the private key, the appropriate password must be provided, since private keys are protected in the keystore with a password. If \f2keypass\fP is not provided at the command line, and is different from the password used to protect the integrity of the keystore, the user is prompted for it. If dname is provided, it's used as the subject in the CSR. Otherwise, the X.500 Distinguished Name associated with alias is used.
.LP
\f2sigalg\fP specifies the algorithm that should be used to sign the CSR.
.LP
@@ -2069,6 +2075,10 @@
.fl
SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE
.fl
+ SHA256: 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90:
+.fl
+ 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4
+.fl
\fP
.fi
@@ -2094,6 +2104,20 @@
If you don't specify a required password option on a command line, you will be prompted for it.
.LP
.RE
+.SS
+Warning Regarding Certificate Conformance
+.LP
+.RS 3
+
+.LP
+.LP
+The Internet standard
+.na
+\f2RFC 5280\fP @
+.fi
+http://tools.ietf.org/rfc/rfc5280.txt has defined a profile on conforming X.509 certificates, which includes what values and value combinations are valid for certificate fields and extensions. \f3keytool\fP has not enforced all these rules so it can generate certificates which do not conform to the standard, and these certificates might be rejected by JRE or other applications. Users should make sure that they provide the correct options for \f2\-dname\fP, \f2\-ext\fP, etc.
+.LP
+.RE
.SH "SEE ALSO"
.LP
@@ -2176,6 +2200,4 @@
.RE
.LP
-
-.LP