jdk-sandbox: comparison jdk/src/solaris/doc/sun/man/man1/keytool.1

equal deleted inserted replaced

-:bad7bbf42755
+:345bc8d65b19
-.'" t
+." Copyright 2002-2006 Sun Microsystems, Inc.  All Rights Reserved.
-." Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 ." DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 ."
 ." This code is free software; you can redistribute it and/or modify it
 ." under the terms of the GNU General Public License version 2 only, as
 ." published by the Free Software Foundation.
 ." Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 ."
 ." Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
 ." CA 95054 USA or visit www.sun.com if you need additional information or
 ." have any questions.
-." `
+."
-.TH keytool 1 "07 Aug 2006"
+.TH keytool 1 "04 May 2009"
-." Generated by html2man
+." Generated from HTML by html2man (author: Eric Armstrong)
 .LP
-.SH NAME
+.SH "Name"
 keytool \- Key and Certificate Management Tool
 .LP
 .RS 3
 .LP
 .fl
 \-validity 90
 .fl
 .fl
-\-keystore \fP\f4the file named \fP\f4.keystore\fP\f3 in the user's home directory\fP\f3
+\-keystore the file named \fP\f4.keystore\fP\f3 in the user's home directory
 .fl
 .fl
-\-storetype \fP\f4the value of the "keystore.type" property in the security properties file,
+\-storetype the value of the "keystore.type" property in the security properties file,
 .fl
-which is returned by the static \fP\f4getDefaultType\fP\f3 method in \fP\f4java.security.KeyStore\fP\f3
+which is returned by the static \fP\f4getDefaultType\fP\f3 method in
 .fl
+\fP\f4java.security.KeyStore\fP\f3
 .fl
-\-file \fP\f4stdin if reading, stdout if writing\fP\f3
+.fl
+\-file stdin if reading, stdout if writing
 .fl
 .fl
 \-protected false
 .fl
 .fl
 \fP
 .fi
 .LP
-In generating a public/private key pair, the signature algorithm (\f2\-sigalg\fP option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the \f2\-sigalg\fP option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", \f2\-sigalg\fP defaults to "MD5withRSA". Please consult the
+In generating a public/private key pair, the signature algorithm (\f2\-sigalg\fP option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the \f2\-sigalg\fP option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", \f2\-sigalg\fP defaults to "SHA1withRSA". Please consult the
 .na
 \f2Java Cryptography Architecture API Specification & Reference\fP @
 .fi
 http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA for a full list of \f2\-keyalg\fP and \f2\-sigalg\fP you can choose from.
 .RE
 Common Options
 .LP
 .RS 3
 .LP
-The \f2\-v\fP option can appear for all commands except \f2\-help\fP. If it appears, it signifies "verbose" mode; more information will be output.
+The \f2\-v\fP option can appear for all commands except \f2\-help\fP. If it appears, it signifies "verbose" mode; more information will be provided in the output.
 .LP
 There is also a \f2\-J\fP\f2javaoption\fP option that may appear for any command. If it appears, the specified \f2javaoption\fP string is passed through directly to the Java interpreter. This option should not contain any spaces. It is useful for adjusting the execution environment or memory usage. For a list of possible interpreter options, type \f2java \-h\fP or \f2java \-X\fP at the command line.
 .LP
 .LP
 These options may appear for all commands operating on a keystore:
 \-providerArg provider_arg
 Used in conjunction with \f2\-providerClass\fP. Represents an optional string input argument for the constructor of \f2provider_class_name\fP.
 .TP 3
 \-protected
 Either \f2true\fP or \f2false\fP. This value should be specified as \f2true\fP if a password must be given via a protected authentication path such as a dedicated PIN reader.
-.RE
+.LP
+Note: Since there are two keystores involved in \f2\-importkeystore\fP command, two options, namely, \f2\-srcprotected\fP and \f2\-destprotected\fP are provided for the source keystore and the destination keystore respectively.
-.LP
+.TP 3
+\-ext {name{:critical}{=value}}
+Denotes an X.509 certificate extension. The option can be used in \f2\-genkeypair\fP and \f2\-gencert\fP to embed extensions into the certificate generated, or in \f2\-certreq\fP to show what extensions are requested in the certificate request. The option can appear multiple times. name can be a supported extension name (see below) or an arbitrary OID number. value, if provided, denotes the parameter for the extension; if omitted, denotes the default value (if defined) of the extension or the extension requires no parameter. The \f2":critical"\fP modifier, if provided, means the extension's isCritical attribute is true; otherwise, false.
+.RS 3
+.LP
+.LP
+Currently keytool supports these named extensions (case\-insensitive):
+.LP
+.LP
+.TS
+.if \n+(b.=1 .nr d. \n(.c-\n(c.-1
+.de 35
+.ps \n(.s
+.vs \n(.vu
+.in \n(.iu
+.if \n(.u .fi
+.if \n(.j .ad
+.if \n(.j=0 .na
+..
+.nf
+.nr #~ 0
+.if n .nr #~ 0.6n
+.ds #d .d
+.if \(ts\n(.z\(ts\(ts .ds #d nl
+.fc
+.nr 33 \n(.s
+.rm 80 81
+.nr 34 \n(.lu
+.eo
+.am 81
+.br
+.di a+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+The full form: "ca:{true|false}[,pathlen:<len>]"; or, <len>, a shorthand for "ca:true,pathlen:<len>"; or omitted, means "ca:true"
+.br
+.di
+.nr a| \n(dn
+.nr a- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di b+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+usage(,usage)*, usage can be one of digitalSignature, nonRepudiation (contentCommitment), keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly. Usage can be abbreviated with the first few letters (say, dig for digitalSignature) or in camel\-case style (say, dS for digitalSignature, cRLS for cRLSign), as long as no ambiguity is found. Usage is case\-insensitive.
+.br
+.di
+.nr b| \n(dn
+.nr b- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di c+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+usage(,usage)*, usage can be one of anyExtendedKeyUsage, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning, or any OID string. Named usage can be abbreviated with the first few letters or in camel\-case style, as long as no ambiguity is found. Usage is case\-insensitive.
+.br
+.di
+.nr c| \n(dn
+.nr c- \n(dl
+..
+.ec \
+.eo
+.am 80
+.br
+.di d+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(80 .ll \n(80u
+.in 0
+SAN or SubjectAlternativeName
+.br
+.di
+.nr d| \n(dn
+.nr d- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di e+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+type:value(,type:value)*, type can be EMAIL, URI, DNS, IP, or OID, value is the string format value for the type.
+.br
+.di
+.nr e| \n(dn
+.nr e- \n(dl
+..
+.ec \
+.eo
+.am 80
+.br
+.di f+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(80 .ll \n(80u
+.in 0
+IAN or IssuerAlternativeName
+.br
+.di
+.nr f| \n(dn
+.nr f- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di g+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+same as SubjectAlternativeName
+.br
+.di
+.nr g| \n(dn
+.nr g- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di h+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+method:location\-type:location\-value (,method:location\-type:location\-value)*, method can be "timeStamping", "caRepository" or any OID. location\-type and location\-value can be any type:value supported by the SubjectAlternativeName extension.
+.br
+.di
+.nr h| \n(dn
+.nr h- \n(dl
+..
+.ec \
+.eo
+.am 80
+.br
+.di i+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(80 .ll \n(80u
+.in 0
+AIA or AuthorityInfoAccess
+.br
+.di
+.nr i| \n(dn
+.nr i- \n(dl
+..
+.ec \
+.eo
+.am 81
+.br
+.di j+
+.35
+.ft \n(.f
+.ll \n(34u*1u/3u
+.if \n(.l<\n(81 .ll \n(81u
+.in 0
+same as SubjectInfoAccess. method can be "ocsp","caIssuers" or any OID.
+.br
+.di
+.nr j| \n(dn
+.nr j- \n(dl
+..
+.ec \
+.35
+.nf
+.ll \n(34u
+.nr 80 0
+.nr 38 \w\f3Name\fP
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \wBC or BasicConstraints
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \wKU or KeyUsage
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \wEKU or ExtendedkeyUsage
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \wSIA or SubjectInfoAccess
+.if \n(80<\n(38 .nr 80 \n(38
+.80
+.rm 80
+.nr 38 \n(d-
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \n(f-
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 38 \n(i-
+.if \n(80<\n(38 .nr 80 \n(38
+.nr 81 0
+.nr 38 \w\f3Value\fP
+.if \n(81<\n(38 .nr 81 \n(38
+.81
+.rm 81
+.nr 38 \n(a-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(b-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(c-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(e-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(g-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(h-
+.if \n(81<\n(38 .nr 81 \n(38
+.nr 38 \n(j-
+.if \n(81<\n(38 .nr 81 \n(38
+.35
+.nf
+.ll \n(34u
+.nr 38 1n
+.nr 79 0
+.nr 40 \n(79+(0*\n(38)
+.nr 80 +\n(40
+.nr 41 \n(80+(3*\n(38)
+.nr 81 +\n(41
+.nr TW \n(81
+.if t .if \n(TW>\n(.li .tm Table at line 288 file Input is too wide - \n(TW units
+.fc
+.nr #T 0-1
+.nr #a 0-1
+.eo
+.de T#
+.ds #d .d
+.if \(ts\n(.z\(ts\(ts .ds #d nl
+.mk ##
+.nr ## -1v
+.ls 1
+.ls
+..
+.ec
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'\f3Name\fP\h'|\n(41u'\f3Value\fP
+.ne \n(a|u+\n(.Vu
+.if (\n(a|+\n(#^-1v)>\n(#- .nr #- +(\n(a|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'BC or BasicConstraints\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.a+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(b|u+\n(.Vu
+.if (\n(b|+\n(#^-1v)>\n(#- .nr #- +(\n(b|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'KU or KeyUsage\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.b+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(c|u+\n(.Vu
+.if (\n(c|+\n(#^-1v)>\n(#- .nr #- +(\n(c|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'EKU or ExtendedkeyUsage\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.c+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(d|u+\n(.Vu
+.ne \n(e|u+\n(.Vu
+.if (\n(d|+\n(#^-1v)>\n(#- .nr #- +(\n(d|+\n(#^-\n(#--1v)
+.if (\n(e|+\n(#^-1v)>\n(#- .nr #- +(\n(e|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(40u
+.in +\n(37u
+.d+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.e+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(f|u+\n(.Vu
+.ne \n(g|u+\n(.Vu
+.if (\n(f|+\n(#^-1v)>\n(#- .nr #- +(\n(f|+\n(#^-\n(#--1v)
+.if (\n(g|+\n(#^-1v)>\n(#- .nr #- +(\n(g|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(40u
+.in +\n(37u
+.f+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.g+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(h|u+\n(.Vu
+.if (\n(h|+\n(#^-1v)>\n(#- .nr #- +(\n(h|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'SIA or SubjectInfoAccess\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.h+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.ne \n(i|u+\n(.Vu
+.ne \n(j|u+\n(.Vu
+.if (\n(i|+\n(#^-1v)>\n(#- .nr #- +(\n(i|+\n(#^-\n(#--1v)
+.if (\n(j|+\n(#^-1v)>\n(#- .nr #- +(\n(j|+\n(#^-\n(#--1v)
+.ta \n(80u \n(81u
+.nr 31 \n(.f
+.nr 35 1m
+\&\h'|\n(40u'\h'|\n(41u'
+.mk ##
+.nr 31 \n(##
+.sp |\n(##u-1v
+.nr 37 \n(40u
+.in +\n(37u
+.i+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(##u-1v
+.nr 37 \n(41u
+.in +\n(37u
+.j+
+.in -\n(37u
+.mk 32
+.if \n(32>\n(31 .nr 31 \n(32
+.sp |\n(31u
+.fc
+.nr T. 1
+.T# 1
+.35
+.rm a+
+.rm b+
+.rm c+
+.rm d+
+.rm e+
+.rm f+
+.rm g+
+.rm h+
+.rm i+
+.rm j+
+.TE
+.if \n-(b.=0 .nr c. \n(.c-\n(d.-38
+.LP
+.LP
+For name as OID, value is the HEX dumped DER encoding of the extnValue for the extension excluding the OCTET STRING type and length bytes. Any extra character other than standard HEX numbers (0\-9, a\-f, A\-F) are ignored in the HEX string. Therefore, both \f2"01:02:03:04"\fP and \f2"01020304"\fP are accepted as identical values. If there's no value, the extension has an empty value field then.
+.LP
+.LP
+A special name \f2"honored"\fP, used in \-gencert only, denotes how the extensions included in the certificate request should be honored. The value for this name is a comma\-seperated list of \f2"all"\fP (all requested extensions are honored), \f2"name{:[critical|non\-critical]}"\fP (the named extension is honored, but using a different isCritical attribute) and \f2"\-name"\fP (used with all, denotes an exception). Requested extensions are not honored by default.
+.LP
+.LP
+If, besides the \-ext honored option, another named or OID \-ext option is provided, this extension will be added to those already honored. However, if this name (or OID) also appears in the honored value, its value and criticality overrides the one in the request.
+.LP
+.LP
+The subjectKeyIdentifier extension is always created. For non self\-signed certificates, the authorityKeyIdentifier is always created.
+.LP
+.RE
+.RE
 .RE
 .SH "COMMANDS"
 .LP
 .LP
 .RS 3
 .LP
 .RS 3
 .TP 3
-\-genkeypair {\-alias alias} {\-keyalg keyalg} {\-keysize keysize} {\-sigalg sigalg} [\-dname dname] [\-keypass keypass] {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
+\-gencert {\-infile infile} {\-outfile outfile} {\-ext ext}* {\-rfc} {\-alias alias} {\-sigalg sigalg} {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] [\-keypass keypass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
+.LP
+Generates a certificate as a response to a certificate request file (which can be created by the \f2keytool \-certreq\fP command). The command reads the request from infile (if omitted, from the standard input), signs it using alias's private key, and output the X.509 certificate into outfile (if omitted, to the standard output). If \f2\-rfc\fP is specified, output format is BASE64\-encoded PEM; otherwise, a binary DER is created.
+.LP
+\f2sigalg\fP specifies the algorithm that should be used to sign the certificate. valDays tells the number of days for which the certificate should be considered valid.
+.LP
+\f2ext\fP shows what X.509 extensions will be embedded in the certificate. Read Common Options for the grammar of \f2\-ext\fP.
+.TP 3
+\-genkeypair {\-alias alias} {\-keyalg keyalg} {\-keysize keysize} {\-sigalg sigalg} [\-dname dname] [\-keypass keypass] {\-startdate value} {\-validity valDays} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
 .LP
 Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self\-signed certificate, which is stored as a single\-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by \f2alias\fP.
 .LP
 \f2keyalg\fP specifies the algorithm to be used to generate the key pair, and \f2keysize\fP specifies the size of each key to be generated. \f2sigalg\fP specifies the algorithm that should be used to sign the self\-signed certificate; this algorithm must be compatible with \f2keyalg\fP.
 .LP
 \f2dname\fP specifies the X.500 Distinguished Name to be associated with \f2alias\fP, and is used as the \f2issuer\fP and \f2subject\fP fields in the self\-signed certificate. If no distinguished name is provided at the command line, the user will be prompted for one.
 .LP
 \f2keypass\fP is a password used to protect the private key of the generated key pair. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. \f2keypass\fP must be at least 6 characters long.
 .LP
-\f2valDays\fP tells the number of days for which the certificate should be considered valid.
+\f2startdate\fP specifies the issue time of the certificate, also known as the "Not Before" value of the X.509 certificate's Validity field.
-.LP
+.RS 3
-This command was named \f2\-genkey\fP in previous releases. This old name is still supported in this release and will be supported in future releases, but for clarify the new name, \f2\-genkeypair\fP, is preferred going forward.
+.LP
+.LP
+The option value can be set in one of these two forms:
+.LP
+.RS 3
+.TP 3
+1.
+.LP
+([+\-]\f2nnn\fP[ymdHMS])+
+.TP 3
+2.
+.LP
+[yyyy/mm/dd] [HH:MM:SS]
+.RE
+.LP
+.LP
+With the first form, the issue time is shifted by the specified value from the current time. The value is a concatenation of a sequence of sub values. Inside each sub value, the plus sign ("+") means shifting forward, and the minus sign ("\-") means shifting backward. The time to be shifted is \f2nnn\fP units of years, months, days, hours, minutes, or seconds (denoted by a single character of "y", "m", "d", "H", "M", or "S" respectively). The exact value of the issue time is calculated using the \f2java.util.GregorianCalendar.add(int field, int amount)\fP method on each sub value, from left to right. For example, by specifying \f2"\-startdate \-1y+1m\-1d"\fP, the issue time will be:
+.LP
+.RS 3
+.LP
+.nf
+\f3
+.fl
+Calendar c = new GregorianCalendar();
+.fl
+c.add(Calendar.YEAR, \-1);
+.fl
+c.add(Calendar.MONTH, 1);
+.fl
+c.add(Calendar.DATE, \-1);
+.fl
+return c.getTime()
+.fl
+\fP
+.fi
+.RE
+.LP
+.LP
+With the second form, the user sets the exact issue time in two parts, year/month/day and hour:minute:second (using the local timezone). The user may provide only one part, which means the other part is the same as the current date (or time). User must provide the exact number of digits as shown in the format definition (padding with 0 if shorter). When both the date and time are provided, there is one (and only one) space character between the two parts. The hour should always be provided in 24 hour format.
+.LP
+.LP
+When the option is not provided, the start date is the current time. The option can be provided at most once.
+.LP
+.RE
+.LP
+\f2valDays\fP specifies the number of days (starting at the date specified by \f2\-startdate\fP, or the current date if \f2\-startdate\fP is not specified) for which the certificate should be considered valid.
+.LP
+This command was named \f2\-genkey\fP in previous releases. This old name is still supported in this release and will be supported in future releases, but for clarity the new name, \f2\-genkeypair\fP, is preferred going forward.
 .TP 3
 \-genseckey {\-alias alias} {\-keyalg keyalg} {\-keysize keysize} [\-keypass keypass] {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
 .LP
 Generates a secret key and stores it in a new \f2KeyStore.SecretKeyEntry\fP identified by \f2alias\fP.
 .LP
 \f2keyalg\fP specifies the algorithm to be used to generate the secret key, and \f2keysize\fP specifies the size of the key to be generated. \f2keypass\fP is a password used to protect the secret key. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. \f2keypass\fP must be at least 6 characters long.
 .TP 3
 \-importcert {\-alias alias} {\-file cert_file} [\-keypass keypass] {\-noprompt} {\-trustcacerts} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerName provider_name} {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v} {\-protected} {\-Jjavaoption}
 .LP
-Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply) from the file \f2cert_file\fP, and stores it in the keystore entry identified by \f2alias\fP. If no file is given, the certificate or PKCS#7 reply is read from stdin.
+Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file \f2cert_file\fP, and stores it in the keystore entry identified by \f2alias\fP. If no file is given, the certificate or certificate chain is read from stdin.
 .LP
 \f3keytool\fP can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "\-\-\-\-\-BEGIN", and bounded at the end by a string that starts with "\-\-\-\-\-END".
 .LP
 You import a certificate for two reasons:
 .RS 3
 2.
 \f3If the alias points to a key entry\fP, then \f3keytool\fP assumes you are importing a certificate reply.
 .RE
 \f3Importing a New Trusted Certificate\fP
 .RS 3
-.LP
 .LP
 Before adding the certificate to the keystore, \f3keytool\fP tries to verify it by attempting to construct a chain of trust from that certificate to a self\-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.
 .LP
 .LP
 If the \f2\-trustcacerts\fP option has been specified, additional certificates are considered for the chain of trust, namely the certificates in a file named "cacerts".
 .TP 2
 o
 \f3If the reply is a single X.509 certificate\fP, \f3keytool\fP attempts to establish a trust chain, starting at the certificate reply and ending at a self\-signed certificate (belonging to a root CA). The certificate reply and the hierarchy of certificates used to authenticate the certificate reply form the new certificate chain of \f2alias\fP. If a trust chain cannot be established, the certificate reply is not imported. In this case, \f3keytool\fP does not print out the certificate and prompt the user to verify it, because it is very hard (if not impossible) for a user to determine the authenticity of the certificate reply.
 .TP 2
 o
-\f3If the reply is a PKCS#7 formatted certificate chain\fP, the chain is first ordered (with the user certificate first and the self\-signed root CA certificate last), before \f3keytool\fP attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or the "cacerts" keystore file (if the \f2\-trustcacerts\fP option was specified). If no match can be found, the information of the root CA certificate is printed out, and the user is prompted to verify it, e.g., by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the root CA itself. The user then has the option of aborting the import operation. If the \f2\-noprompt\fP option is given, however, there will be no interaction with the user.
+\f3If the reply is a PKCS#7 formatted certificate chain or a sequence of X.509 certificates\fP, the chain is ordered with the user certificate first followed by zero or more CA certificates. If the chain ends with a self\-signed root CA certificate and \f2\-trustcacerts\fP option was specified, \f3keytool\fP will attempt to match it with any of the trusted certificates in the keystore or the "cacerts" keystore file. If the chain does not end with a self\-signed root CA certificate and the \f2\-trustcacerts\fP option was specified, \f3keytool\fP will try to find one from the trusted certificates in the keystore or the "cacerts" keystore file and add it to the end of the chain. If the certificate is not found and \f2\-noprompt\fP option is not specified, the information of the last certificate in the chain is printed out, and the user is prompted to verify it.
 .RE
 .LP
 .LP
 If the public key in the certificate reply matches the user's public key already stored with under \f2alias\fP, the old certificate chain is replaced with the new certificate chain in the reply. The old chain can only be replaced if a valid \f2keypass\fP, the password used to protect the private key of the entry, is supplied. If no password is provided, and the private key password is different from the keystore password, the user is prompted for it.
 If the \f2srcalias\fP option is not provided, then all entries in the source keystore are imported into the destination keystore. Each destination entry will be stored under the alias from the source entry. If the source entry is protected by a password, \f2srcstorepass\fP will be used to recover the entry. If \f2srcstorepass\fP is either not provided or is incorrect, the user will be prompted for a password. If a source keystore entry type is not supported in the destination keystore, or if an error occurs while storing an entry into the destination keystore, the user will be prompted whether to skip the entry and continue, or to quit. The destination entry will be protected with the source entry password.
 .LP
 If the destination alias already exists in the destination keystore, the user is prompted to either overwrite the entry, or to create a new entry under a different alias name.
 .LP
 Note that if \f2\-noprompt\fP is provided, the user will not be prompted for a new destination alias. Existing entries will automatically be overwritten with the destination alias name. Finally, entries that can not be imported are automatically skipped and a warning is output.
+.TP 3
+\-printcertreq {\-file file}
+.LP
+Prints the content of a PKCS #10 format certificate request, which can be generated by the keytool \-certreq command. The command reads the request from file; if omitted, from the standard input.
 .RE
 .RE
 .SS
 Exporting Data
 .LP
 .TP 3
 \-list {\-alias alias} {\-storetype storetype} {\-keystore keystore} [\-storepass storepass] {\-providerName provider_name} {\-providerClass provider_class_name {\-providerArg provider_arg}} {\-v | \-rfc} {\-protected} {\-Jjavaoption}
 .LP
 Prints (to stdout) the contents of the keystore entry identified by \f2alias\fP. If no alias is specified, the contents of the entire keystore are printed.
 .LP
-This command by default prints the MD5 fingerprint of a certificate. If the \f2\-v\fP option is specified, the certificate is printed in human\-readable format, with additional information such as the owner, issuer, serial number, and any extensions. If the \f2\-rfc\fP option is specified, certificate contents are printed using the printable encoding format, as defined by the Internet RFC 1421 standard
+This command by default prints the SHA1 fingerprint of a certificate. If the \f2\-v\fP option is specified, the certificate is printed in human\-readable format, with additional information such as the owner, issuer, serial number, and any extensions. If the \f2\-rfc\fP option is specified, certificate contents are printed using the printable encoding format, as defined by the Internet RFC 1421 standard
 .LP
 You cannot specify both \f2\-v\fP and \f2\-rfc\fP.
 .TP 3
-\-printcert {\-file cert_file} {\-v} {\-Jjavaoption}
+\-printcert {\-file cert_file | \-sslserver host[:port]} {\-rfc} {\-v} {\-Jjavaoption}
 .LP
 .LP
-Internet RFC 1421 standard.
+If \f2\-rfc\fP is specified, keytool prints the certificate in PEM mode as defined by the Internet RFC 1421 standard.
 .LP
-Note: This option can be used independently of a keystore.
+If the certificate is read from a file or stdin, it may be either binary encoded or in printable encoding format, as defined by the Internet RFC 1421 standard
+.LP
+If the SSL server is behind a firewall, \f2\-J\-Dhttps.proxyHost=proxyhost\fP and \f2\-J\-Dhttps.proxyPort=proxyport\fP can be specified on the command line for proxy tunneling. See the JSSE Reference Guide for more information.
+.LP
+\f3Note\fP: This option can be used independently of a keystore.
 .RE
 .LP
 .RE
 .SS
 Exporting a Certificate Authenticating Your Public Key
 .LP
 .RS 3
 .LP
-Suppose you have used the
+Suppose you have used the jarsigner(1) tool to sign a Java ARchive (JAR) file. Clients that want to use the file will want to authenticate your signature.
-.na
-\f2jarsigner\fP @
-.fi
-http://java.sun.com/javase/6/docs/tooldocs/solaris/jarsigner.html tool to sign a Java ARchive (JAR) file. Clients that want to use the file will want to authenticate your signature.
 .LP
 One way they can do this is by first importing your public key certificate into their keystore as a "trusted" entry. You can export the certificate and supply it to your clients. As an example, you can copy your certificate to a file named \f2MJ.cer\fP via the following, assuming the entry is aliased by "mykey":
 .LP
 .nf
 \f3
 \fP
 .fi
 .RE
 .LP
+.SS
+Generating Certificates for a typical SSL Server
+.LP
+.RS 3
+.LP
+.LP
+Keytool commands to generate keypairs and certificates for three entities, namely, Root CA (root), Intermadiate CA (ca), and SSL server (server) are as follows:
+.LP
+.nf
+\f3
+.fl
+keytool \-keystore root.jks \-genkeypair \-alias root \-ext bc:c
+.fl
+keytool \-keystore ca.jks \-alias ca
+.fl
+keytool \-keystore server.jks \-alias server
+.fl
+.fl
+keytool \-keystore root.jks \-alias root \-exportcert > root.pem
+.fl
+.fl
+keytool \-keystore ca.jks \-certreq \-alias ca | keytool \-keystore root.jks \-gencert \-alias root \-ext BC=0 > ca.pem
+.fl
+keytool \-keystore ca.jks \-importcert \-alias ca \-file ca.pem
+.fl
+.fl
+keytool \-keystore server.jks \-certreq \-alias server | keytool \-keystore ca.jks \-gencert \-alias ca \-ext ku:c=dig,kE >server.pem
+.fl
+cat root.pem ca.pem server.pem | keytool \-keystore server.jks \-importcert \-alias server
+.fl
+\fP
+.fi
+.RE
+.LP
 .SH "TERMINOLOGY and WARNINGS"
 .LP
 .LP
 .SS
 .LP
 .LP
 There is a built\-in default implementation, provided by Sun Microsystems. It implements the keystore as a file, utilizing a proprietary keystore type (format) named "JKS". It protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.
 .LP
 .LP
-Keystore implementations are provider\-based. More specifically, the application interfaces supplied by \f2KeyStore\fP are implemented in terms of a "Service Provider Interface" (SPI). That is, there is a corresponding abstract \f2KeystoreSpi\fP class, also in the \f2java.security\fP package, which defines the Service Provider Interface methods that "providers" must implement. (The term "provider" refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.) Thus, to provide a keystore implementation, clients must implement a "provider" and supply a KeystoreSpi subclass implementation, as described in How to Implement a Provider for the Java Cryptography Architecture.
+Keystore implementations are provider\-based. More specifically, the application interfaces supplied by \f2KeyStore\fP are implemented in terms of a "Service Provider Interface" (SPI). That is, there is a corresponding abstract \f2KeystoreSpi\fP class, also in the \f2java.security\fP package, which defines the Service Provider Interface methods that "providers" must implement. (The term "provider" refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.) Thus, to provide a keystore implementation, clients must implement a "provider" and supply a KeystoreSpi subclass implementation, as described in
+.na
+\f2How to Implement a Provider for the Java Cryptography Architecture\fP @
+.fi
+http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html.
 .LP
 .LP
 Applications can choose different \f2types\fP of keystore implementations from different providers, using the "getInstance" factory method supplied in the \f2KeyStore\fP class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private/secret keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible.
 .LP
 .LP
 \f3Owner DN\fP: CN=Baltimore CyberTrust Root,
 .br
 OU=CyberTrust, O=Baltimore, C=IE
 .TP 2
 *
-\f3Alias\fP: gtecybertrustca
-.br
-\f3Owner DN\fP: CN=GTE CyberTrust Root,
-.br
-O=GTE Corporation, C=US
-.TP 2
-*
 \f3Alias\fP: gtecybertrust5ca
 .br
 \f3Owner DN\fP: CN=GTE CyberTrust Root 5,
 .br
 OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
 .LP
 .LP
 The \f2\-exportcert\fP command by default outputs a certificate in binary encoding, but will instead output a certificate in the printable encoding format, if the \f2\-rfc\fP option is specified.
 .LP
 .LP
-The \f2\-list\fP command by default prints the MD5 fingerprint of a certificate. If the \f2\-v\fP option is specified, the certificate is printed in human\-readable format, while if the \f2\-rfc\fP option is specified, the certificate is output in the printable encoding format.
+The \f2\-list\fP command by default prints the SHA1 fingerprint of a certificate. If the \f2\-v\fP option is specified, the certificate is printed in human\-readable format, while if the \f2\-rfc\fP option is specified, the certificate is output in the printable encoding format.
 .LP
 .LP
 In its printable encoding format, the encoded certificate is bounded at the beginning by
 .LP
 .nf
 .LP
 .RS 3
 .TP 2
 o
-.na
+.LP
-\f2jar\fP @
+jar(1) tool documentation
-.fi
+.TP 2
-http://java.sun.com/javase/6/docs/tooldocs/solaris/jar.html tool documentation
+o
-.TP 2
+.LP
-o
+jarsigner(1) tool documentation
-.na
+.TP 2
-\f2jarsigner\fP @
+o
-.fi
+.LP
-http://java.sun.com/javase/6/docs/tooldocs/solaris/jarsigner.html tool documentation
-.TP 2
-o
 the
 .na
 \f4Security\fP @
 .fi
 http://java.sun.com/docs/books/tutorial/security/index.html trail of the
 .na
 \f4Java Tutorial\fP @
 .fi
-http://java.sun.com/docs/books/tutorial/trailmap.html for examples of the use of \f3keytool\fP
+http://java.sun.com/docs/books/tutorial for examples of the use of \f3keytool\fP
 .RE
 .LP
 .SH "CHANGES"
 .LP

changeset 2692	345bc8d65b19
parent 2	90ce3da70b43
child 5506	202f599c92aa