keytool(1) keytool(1) keytool - X.509() keytool [commands] commands o o -gencert o -genkeypair o -genseckey o -importcert o -importpassword o o -importkeystore o o -certreq o o -exportcert o o -list o -printcert o -printcertreq o -printcrl o o -storepasswd o -keypasswd o -delete o -changealias o o -help keytool()keytool() ()()() keytool/(DES) keytool o (-) o o o -v-rfc-J o -keypasskeytool/keytool/ o ()-printcert keytool -printcert {-file cert_file} {-v} -printcertcert_file: keytool -printcert -file VScert.cer o () o -helpkeytoolkeytool -help -alias "mykey" -keyalg "DSA" (when using -genkeypair) "DES" (when using -genseckey) -keysize 2048 (when using -genkeypair and -keyalg is "RSA") 1024 (when using -genkeypair and -keyalg is "DSA") 256 (when using -genkeypair and -keyalg is "EC") 56 (when using -genseckey and -keyalg is "DES") 168 (when using -genseckey and -keyalg is "DESede") -validity 90 -keystore -storetype -file stdin (if reading) stdout (if writing) -protected false /(-sigalg) o DSA-sigalgSHA1withDSA o RSA-sigalgSHA256withRSA o EC-sigalgSHA256withECDSA -keyalg-sigalg http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppAJava Cryptography Architecture (JCA) Reference Guide -v-help-v -Jjavaoption-JjavaoptionjavaoptionJavajava -hjava -X -storetype storetype -keystore keystore keytoolJKS storetypekeytool -genkeypair-keystore.keystore-keystore ks_fileks_fileJKS storetypeKeyStore -keystoreKeyStore.loadURLNONEnullKeyStore.loadNONEKeyStore -storepass[:env| :file] argument envfileargument6 o env: argument o file: argument : -keypass-srckeypass-destkeypass-srcstorepass-deststorepassenvfile(:) -storepass -providerName provider_name -providerClass provider_class_name -providerArg provider_arg -providerClassprovider_class_name -protected truefalsePINtrue-importkeystore22-srcprotected-destprotected -ext {name{:critical} {=value}} X.509-genkeypair-gencert-certreqname()OIDvaluevalue:criticalisCriticaltruefalse:critical:c keytool/ BCBasicContraints : ca:{true|false}[,pathlen:](ca:true,pathlen:)ca:true KUKeyUsage : usage(usage)*usagedigitalSignaturenonRepudiation (contentCommitment)keyEnciphermentdataEnciphermentkeyAgreementkeyCertSigncRLSignencipherOnlydecipherOnlyusage(digitalSignaturedig)(digitalSignaturedScRLSigncRLS)usage EKUExtendedKeyUsage : usage(usage)*usageanyExtendedKeyUsageserverAuthclientAuthcodeSigningemailProtectiontimeStampingOCSPSigningOIDusageusage SANSubjectAlternativeName : type:value(type:value)*typeEMAILURIDNSIPOIDvaluetype IANIssuerAlternativeName : SubjectAlternativeName SIASubjectInfoAccess : method:location-type:location-value (method:location-type:location-value)*methodtimeStampingcaRepositoryOIDlocation-typelocation-valueSubjectAlternativeNametype:value AIAAuthorityInfoAccess : SubjectInfoAccessmethodocspcaIssuersOID nameOIDOCTET STRINGextnValue16DERHEX16(0-9a-fA-F)01:02:03:0401020304 -gencerthonoredall()name{:[critical|non-critical]}(isCritical)-name(all) -ext honoredOID -ext(OID) subjectKeyIdentifierauthorityKeyIdentifier : () -gencert {-rfc} {-infile infile} {-outfile outfile} {-alias alias} {-sigalg sigalg} {-dname dname} {-startdate startdate {-ext ext}* {-validity valDays} [-keypass keypass] {-keystore keystore} [-storepass storepass] {-storetype storetype} {-providername provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} (keytool -certreq)infile()X.509outfile()-rfcBASE64PEMDER sigalgstartdatevalDays dname extX.509-ext -gencerte13 caca1ca2e14 keytool -alias ca -dname CN=CA -genkeypair keytool -alias ca1 -dname CN=CA -genkeypair keytool -alias ca2 -dname CN=CA -genkeypair keytool -alias e1 -dname CN=E1 -genkeypair 2caca1ca1ca2 keytool -alias ca1 -certreq | keytool -alias ca -gencert -ext san=dns:ca1 | keytool -alias ca1 -importcert keytool -alias ca2 -certreq | $KT -alias ca1 -gencert -ext san=dns:ca2 | $KT -alias ca2 -importcert e1e1.certca2e1caca1ca2 keytool -alias e1 -certreq | keytool -alias ca2 -gencert > e1.cert -genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-startdate value} {-ext ext}* {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} ()X.509 v3alias keyalgkeysizesigalgkeyalg dnamealiasissuersubjectX.500 keypass[Return]keypass6 startdateX.509ValidityNot Before 2 ([+-]nnn[ymdHMS])+ [yyyy/mm/dd] [HH:MM:SS] (+)(-)nnn(1ymdHMS)java.util.GregorianCalendar.add(int field, int amount) Calendar c = new GregorianCalendar(); c.add(Calendar.YEAR, -1); c.add(Calendar.MONTH, 1); c.add(Calendar.DATE, -1); return c.getTime() 2//::2()11()(0)21(1)24 1 valDays(-startdate-startdate) -genkey-genkeypair -genseckey {-alias alias} {-keyalg keyalg} {-keysize keysize} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} KeyStore.SecretKeyEntry(alias) keyalgkeysizekeypass[Return]keystorekeypass6 -importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} cert_file(PKCS#7X.509)aliaskeystorestdin keytoolX.509 v1v2v3PKCS#7PKCS#7(Base64)RFC 1421-----BEGIN-----END (CA)CA(-certreq)2 -aliaskeytoolkeytoolkeytool -importpassword {-alias alias} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} aliasKeyStore.SecretKeyEntrykeypass[Return]keystorekeypass6 -importkeystore {-srcstoretype srcstoretype} {-deststoretype deststoretype} [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcprotected} {-destprotected} {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]} [-destkeypass destkeypass] {-noprompt} {-srcProviderName src_provider_name} {-destProviderName dest_provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} -srcaliasdestaliassrcaliassrckeypasssrckeypasskeytoolsrcstorepasssrcstorepassdestkeypassdestkeypassPKCS #12storepasskeypassPKCS #12-destkeypass-deststorepass -srcaliassrcstorepasssrcstorepass -noprompt -printcertreq {-file file} PKCS#10keytool -certreq -certreq {-alias alias} {-dname dname} {-sigalg sigalg} {-file certreq_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} PKCS#10(CSR) CSR(CA)CA()(1) aliasPKCS#10keypassdnameCSRX.500 sigalgCSR CSRcertreq_filestdoutCSR CAimportcert -exportcert {-alias alias} {-file cert_file} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-rfc} {-v} {-protected} {-Jjavaoption} aliascert_filestdout -rfcRFC 1421 aliasaliasalias -export-exportcert -list {-alias alias} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v | -rfc} {-protected} {-Jjavaoption} aliasstdoutalias SHA1 -v-rfcRFC 1421 -v-rfc -printcert {-file cert_file | -sslserver host[:port]} {-jarfile JAR_file {-rfc} {-v} {-Jjavaoption} cert_filehost:portSSLJARJAR_file(-jarfile)HTTPS443-sslserver-filestdin -rfckeytoolRFC 1421PEMRFC 1421 stdinRFC 1421 SSL-J-Dhttps.proxyHost=proxyhost-J-Dhttps.proxyPort=proxyporthttp://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html Java Secure Socket Extension (JSSE) Reference Guide : -printcrl -file crl_ {-v} crl_(CRL)CRLCACAcrl_ : -storepasswd [-new new_storepass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-Jjavaoption} new_storepassnew_storepass6 -keypasswd {-alias alias} [-keypass old_keypass] [-new new_keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-Jjavaoption} alias/old_keypassnew_keypassnew_keypass6 -keypass -new -delete [-alias alias] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} alias -changealias {-alias alias} [-destalias destalias] [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption} aliasdestalias-keypassstorepass() -help : keytool -command_name -helpcommand_name / keytool -genkeypair -dname "cn=Mark Jones, ou=Java, o=Oracle, c=US" -alias business -keypass -keystore /working/mykeystore -storepass -validity 180 workingmykeystore()Mark JonesJavaOracle2US1024DSA SHA1withDSA180business keytool -genkeypair mykey90.keystore -genkeypair-genkeypaircn=Mark Jonesou=Javao=Oraclec=US CA (CA)CA(CSR) keytool -certreq -file MarkJ.csr CSR(mykeyCSR)MarkJ.csrCA (VeriSign)CA()CA CA CA CAcacerts1-importcert o CACA o CA() cacertsVeriSignCAVeriSignCACAcacertsCA CACA(CA)ABC, Inc.,CAABCABCCA.cer(CA)keytool -printcert-nopromptkeytool -importcert()() keytool -importcert -alias abc -file ABCCA.cer ABCCA.cerabc CA CA(cacerts)CACACAcacerts VeriSignVSMarkJ.cer keytool -importcert -trustcacerts -file VSMarkJ.cer jarsignerJava Archive (JAR)1 MJ.cermykey keytool -exportcert -alias mykey -file MJ.cer JARjarsigner importkeystore()/keytoolkeytool JKSkey.jksPKCS#11 keytool -importkeystore -srckeystore key.jks -destkeystore NONE -srcstoretype JKS -deststoretype PKCS11 -srcstorepass -deststorepass importkeystore-srcalias/ keytool -importkeystore -srckeystore key.jks -destkeystore NONE -srcstoretype JKS -deststoretype PKCS11 -srcstorepass -deststorepass -srcalias myprivatekey -destalias myoldprivatekey -srckeypass -destkeypass -noprompt SSL 3CA(root)CA(ca)SSL(server)keytoolRSA keytool -genkeypair -keystore root.jks -alias root -ext bc:c keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c keytool -genkeypair -keystore server.jks -alias server keytool -keystore root.jks -alias root -exportcert -rfc > root.pem keytool -storepass -keystore ca.jks -certreq -alias ca | keytool -storepass -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem keytool -keystore ca.jks -importcert -alias ca -file ca.pem keytool -storepass -keystore server.jks -certreq -alias server | keytool -storepass -keystore ca.jks -gencert -alias ca -ext ku:c=dig,kE -rfc > server.pem cat root.pem ca.pem server.pem | keytool -keystore server.jks -importcert -alias server keytool2 - keytooljarsigner : 1Subject() () -genseckey-genkeypair()-importcertkeytool duke keytool -genkeypair -alias duke -keypass dukekeypasswd dukekeypasswddukeDuke keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass dukekeypasswdnewpass java.securityKeyStore keytooljarsigner2Policy ToolGUIKeyStorepublicKeyStore OracleJKS()() KeyStore(SPI)KeystoreSpi(java.security)Service Provider InterfaceJava Security APIhttp://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html JavaKeystoreSpi KeyStoregetInstance/ keytoolFileInputStreamjarsignerpolicytoolURL keytooljarsigner-storetypePolicy Tool keystore.typejava.securityWindowsjava.home\lib\securityOracle Solarisjava.home/lib/securityjava.homejreSDKJava Runtime Environment (JRE) keystore.typeKeyStorestaticgetDefaultTypekeystore.type(keystore.type) KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); jksOracle keystore.type=jks pkcs12 keystore.type=pkcs12 : JKSjks ()()()() : : : Oracle Solaris UIDX.509 : : DSA11 : (CA)CA()()CAVeriSignThawteEntrust MicrosoftEntrustCAkeytool keytoolX.509 X.509 X.509()ASN.1/DER2Abstract Syntax Notation 1Definite Encoding Rules X.509 : X.5093keytoolv1v2v3v3 X.509 Version 11988 X.509 Version 2SubjectSubjectVersion 2 X.509 Version 3(1996)KeyUsage()AlternativeNames(DNSIP)criticalcriticalkeyCertSignKeyUsageSSLSSL : (CRL) : CA : X.500X.500CACA : 100 : X.500X.500(DN)X.500 CN=Java Duke, OU=Java Software Division, O=Oracle Corporation, C=US (CN)(OU)(O)(C) : keytool 1-genkeypair()-genkeypair (CSR)-certreqCSR(CA)CA-importcert-certreq-importcertSubjectCA()CA CA(CA)CA(CA)CSRCACACSRCACA() CACA (PKCS#7)keytool ()CAVeriSignCACACACACA-printcertCAWeb cacerts cacertsWindowsjava.home\lib\securityOracle Solarisjava.home/lib/securityjava.home(SDKjreJRE) cacertsCAjkskeytoolcacertsCA keytool -list -keystore java.home/lib/security/cacerts cacertschangeitSDK : cacertscacertsCAcacertscacertsCAcacertsCA CAcacertskeytooldeletecacertsJRE RFC 1421 RFC 1421Base 64 -importcert-printcert-exportcert-rfc -listSHA1-v-rfc -----BEGIN CERTIFICATE----- encoded certificate goes here. -----END CERTIFICATE----- X.500 X.500X.509subjectissuer()X.500keytool commonName: Susan Jones organizationUnit: ()Purchasing localityName: ()Palo Alto stateName: California country: 2CH -dname(-genkeypair) CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode CN=commonName OU=organizationUnit O=organizationName L=localityName S=stateName C=country CN=Mark Smith, OU=Java, O=Oracle, L=Cupertino, S=California, C=US keytool -genkeypair -dname "CN=Mark Smith, OU=Java, O=Oracle, L=Cupertino, S=California, C=US" -alias mark CNcnCn CN=Steve Meier, OU=Java, O=Oracle, C=US (\) cn=Peter Schuster, ou=Java\, Product Development, o=Oracle, c=US (\) : Windows: -noprompt-printcert-importcert\tmp\cert-printcert keytool -printcert -file \tmp\cert Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Serial Number: 59092b34 Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PST 1997 Certificate Fingerprints: MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE SHA256: 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90: 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4 Oracle Solaris: -noprompt-printcert-importcert/tmp/cert-printcert keytool -printcert -file /tmp/cert Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Serial Number: 59092b34 Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PST 1997 Certificate Fingerprints: MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:13:0E:5E:FE SHA256: 90:7B:70:0A:EA:DC:16:79:92:99:41:FF:8A:FE:EB:90: 17:75:E0:90:B2:24:4D:3A:2A:16:A6:E4:11:0F:67:A4 ()(JAR) : -printcert-importcert-noprompt-importcert-noprompt /(-storepass-keypass) RFC 5280X.509 http://tools.ietf.org/rfc/rfc5280.txt keytoolJRE-dname-ext keytool(CA) -trustcacertscacerts keytool(cacerts)()()-noprompt (-trustcacerts)cacertscacerts o X.509keytool(CA)aliaskeytool o PKCS#7X.5090CACA -trustcacertskeytoolcacertsCA-trustcacertskeytoolcacertsCA-noprompt aliaskeypass -import-importcert o jar(1) o jarsigner(1) o http://docs.oracle.com/javase/tutorial/security/index.html : Java SE JDK 8 201533 keytool(1)