Keytool is a java utility for managing keys and certificates that comes with JDK. It can generate public/private key pairs, generate certificate requests, import trusted certificates and much more. Keytool keeps all of this stuff in a keystore file and every entry (key or certificate) has a unique name or alias.
I has to make a keystore that contains a certificate chain for testing purposes, so here's what i did:
Generate self-signed PrivateKeyEntry with an alias "store". This will ask for password and DN information and create a keystore file called keystore.store
keytool -genkey -keyalg "RSA" -alias store -keystore keystore.store
Generate a cert request that can be signed by the CA
keytool -certreq -v -alias store -file store.req -keystore keystore.store
Import root CA's cert (ca.pem) as a trusted cert into the keystore with an alias root-ca
keytool -import -v -trustcacerts -alias root-ca -file ca.pem -keystore keystore.store
Import subca's cert with an alias sub-ca. This is optional if you don't have one. Make sure subca.pem starts with -----BEGIN CERTIFICATE-----
keytool -import -v -trustcacerts -alias sub-ca -file subca.pem -keystore keystore.store
Import your signed cert (made from your cert request), notice that the alias is the same as the generated key's alias. Keytool understands that this cert is for the generated key and can construct the certificate chain.
keytool -import -v -alias store -file store.crt -keystore keystore.store
Finally list keystore's entries. You can add -v for more information about the entries.
keytool -list -keystore keystore.store
More information:
http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html
http://www.globalsign.com/support/code-signing/codesign_sunjava.html
http://www.informit.com/articles/article.aspx?p=407886
No comments:
Post a Comment