In this blog, we will learn about keytool, a utility that is included in all java releases. If you don't have java, install java and keytool will be installed automatically.
What is Keytool?
Keytool is a key and certificate management utility. This tools lets users create private/public key pairs and certificates and stores them in a keystore.
Lets go through different utilities of this tool.
Creating Public Private Key Pair using Keytool
Let us create a public private key pair using keytool utility. Open a terminal window and fire the below keytool command with -genkeypair option.
keytool -genkeypair -alias pranay_pub_priv -keyalg RSA -validity 365
-keystore /home/pranay/.keystore -storetype JKS
Let us understand this command.
- -genkeypair generates a key pair - a public key and private key and wraps the public key in X.509 v3 self-signed certificate. This certificate and private key are stored in keystore as single entry.
- -alias is the name of entry to identify the entry stored in keystore
- -keyalg is the algorithm used to generate the key pair.
- -validity is the validity of the keypair generated.
- -keystore is the keystore path to be mentioned. If the keystore path is not present, it will create one and prompt to set password, otherwise it will just prompt for existing keystore password.
- -keypass option is not mentioned as I wanted to use same password as the keystore for the private key
- -storetype is type of the key store. I mentioned JKS(Java key store) which stores in binary format and prompts for a password to view the .jks file. There is other format - PKCS12 too.
You can give your own custom key store path in place of /home/pranay/.keystore. Now, it will give prompts for keystore password and the other prompts for
- first and last name
- name of your organizational unit
- name of your organization
- name of your City or Locality
- name of your State or Province
- two-letter country code for this unit
- And a confirmation for above information entered.
Viewing the created key pair in the keystore
We can hit the keytool -list to view the entries in the keystore stored in your home directory like below.
keytool -list
If you want to view, a custom path keystore, use -keystore <keystore path> command
keytool -list -keystore /home/pranay/.keystore
To view the detailed certificate information fire up below command on the terminal.
keytool -list -keystore /home/pranay/.keystore -v -alias pranay_pub_priv
The output will be like below.
This is a self signed certificate and to be used for only development and testing.
Exporting the public key certificate
We can export the public key into a certificate by firing the below command with -exportcert option.
keytool -exportcert -alias pranay_pub_priv -file public.cer
Migrating to PKCS12 Store type format
We can migrate from JKS keystore to industry standard PKCS12 by firing the below command and view p12 certificate details using keytool.
keytool -importkeystore -srckeystore /home/pranay/.keystore
-destkeystore /home/pranay/.keystore -deststoretype pkcs12
Let us understand the command options specified
- -importkeystore is to import a keystore into another keystore.
- -srckeystore is to mention my source keystore I want to migrate(My JKS keystore)
- -destkeystore is to mention the destination keystore to migrate to.
- -deststoretype pkcs12
The output looks like below
Lets list and see the output
Exporting Private key with openssl from PKCS12 keystore
openssl pkcs12 -in /home/pranay/.keystore -nodes -nocerts -out private_key.pem
Exporting Public key with openssl from PKCS12 keystore
openssl pkcs12 -in /home/pranay/.keystore -nokeys -out cert.pem
It will prompt for key store password for both commands.
The keytool has various options to change alias, delete the entry from keystore, generate secret key. Explore the manual page of keytool by firing below command
man keytool
or by firing keytool -help
In this keytool tutorial, we learned about how to use keytool to generate a key pair, how to view the certificate in truststore and migrate jks truststore to pcks12 and the other utility functions.
Post a Comment