This is my first post about java ssl and keystores.
First of all a description about different entries in java key store :
trustedCertEntry = 3th parts certificate with only public key (certificates imported with keytool - i command) unsigned or signed by known CA
privateKeyEntries = system's own certificate with private and public key (certificate generated by keytool - genkey command
Example of keytool entries from sample keystore :
keytool -list -keystore mykeystore.jks
3 entries:
external system1 - self signed cert
server1-udb, Jul 25, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 7B:93:06:E0:34:58:F4:75:27:FC:4C:E9:5C:9A:CB:79
my server certificate
myserver-conf, Jul 21, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 21:6F:79:85:14:43:83:0C:96:A0:66:1E:8D:A7:49:F3
CA - certificate
myrootca, Jul 21, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 5A:11:C7:CF:62:7C:3C:46:F4:4D:C3:38:BE:64:9C:7B
And detailed view of certificates :
keytool -list -v -keystore mykeystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
SELF SIGNED CERTIFICATE
Alias name: server1-udb
Creation date: Jul 25, 2011
Entry type: trustedCertEntry
Owner: CN=OtherCompany, OU=., O=., L=., ST=., C=IT
Issuer: CN=OtherCompany, OU=., O=., L=., ST=., C=IT
Serial number: 0
Valid from: Thu Jul 17 12:32:08 CEST 2008 until: Sun Jul 15 12:32:08 CEST 2018
Certificate fingerprints:
MD5: 7B:93:06:E0:34:58:F4:75:27:FC:4C:E9:5C:9A:CB:79
SHA1: 57:F1:9E:D8:E6:8C:E0:47:A1:39:83:BD:AA:4A:E8:71:55:4D:3A:DB
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
My SERVER CERTIFICATE (SIGNED By myrootCA)
Alias name: myserver-conf
Creation date: Jul 21, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 2Certificate[1]:
Owner: CN=myserver-conf, OU=myOU, O=CompanyO, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: 14a67
Valid from: Thu Jul 21 16:57:39 CEST 2011 until: Fri Jul 20 16:57:39 CEST 2012
Certificate fingerprints:
MD5: 21:6F:79:85:14:43:83:0C:96:A0:66:1E:8D:A7:49:F3
SHA1: 2F:70:2B:E8:8B:F1:D8:00:C6:45:71:9F:23:F7:30:08:92:87:B8:FE
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F9 10 15 9E A4 FB 1D ED D2 17 0F F7 61 02 86 03 ............a...
0010: C2 11 36 FC ..6.
]
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://mywebL]
]]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#5: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0B 5B 2F E9 D1 F6 BB F7 AA 6B E5 89 75 5C ED ED .[/......k..u\..
0010: A4 BD 26 23 ..&#
]
]
Certificate[2]:
Owner: CN=Company, OU=myOU, O=myorg, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: 1
Valid from: Wed Jan 05 15:12:14 CET 2005 until: Mon Jan 05 15:10:44 CET 2015
Certificate fingerprints:
MD5: 46:9A:AA:1C:87:27:D4:D1:A2:F3:56:BB:4C:23:90:44
SHA1: 55:FC:92:81:39:8A:42:1F:DC:94:62:BF:7A:42:56:CC:44:1D:45:4F
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 5B 2F E9 D1 F6 BB F7 AA 6B E5 89 75 5C ED ED .[/......k..u\..
0010: A4 BD 26 23 ..&#
]
]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.76.12.1.1.4]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 23 68 74 74 70 73 3A 2F 2F 77 77 77 2E 74 69 .#https://www.ti
0010: 70 6B 69 2E 63 6F 6D 2F 50 72 69 76 61 74 65 43 pki.com/PrivateC
0020: 41 2F 43 50 53 A/CPS
]] ]
]
*******************************************
*******************************************
MY CA CERTIFICATE
Alias name: myrootca
Creation date: Jul 21, 2011
Entry type: trustedCertEntry
Owner: CN=Company, OU=myOU, O=myorg, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: d9e97f4c4c1f581a
Valid from: Tue Nov 09 17:51:18 CET 2010 until: Fri Nov 06 17:51:18 CET 2020
Certificate fingerprints:
MD5: 5A:11:C7:CF:62:7C:3C:46:F4:4D:C3:38:BE:64:9C:7B
SHA1: 1C:2D:8C:4F:18:D5:6F:4B:24:0D:88:2C:12:8D:04:7D:29:8D:56:30
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D6 0C 73 BD A7 0B 47 01 98 F5 A8 1E 6A 73 73 EF ..s...G.....jss.
0010: F2 B1 E8 6C ...l
]
]
#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
*******************************************
*******************************************
Hi Can you tell me more clearly about public key and private key.
RispondiElimina>keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore2.jks -storepass password -validity 9360 -keysize 2048
What is your first and last name?
[Unknown]: CLARK
What is the name of your organizational unit?
[Unknown]: OO
What is the name of your organization?
[Unknown]: O
What is the name of your City or Locality?
[Unknown]: JUMO
What is the name of your State or Province?
[Unknown]: TU
What is the two-letter country code for this unit?
[Unknown]: PA
Is CN=clark, OU=OO, O=O, L=jumo, ST=TU, C=PA correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
From the above example, what is the PrivateKey and what is the PublicKey?? Please explain which part belongs PrivateKey and which part belongs PublicKey in above example?