venerdì 16 marzo 2012

java keystore PrivateKeyEntries vs trustedCertEntry

This is my first post about java ssl and keystores.

First of all a description about different entries in java key store :

trustedCertEntry = 3th parts  certificate with only public key    (certificates imported with  keytool - i command)  unsigned or signed by known CA

privateKeyEntries =   system's  own certificate with  private and  public key  (certificate generated by keytool - genkey command


Example of keytool entries from sample keystore :

keytool -list  -keystore mykeystore.jks
3 entries:
external system1 - self signed cert
server1-udb, Jul 25, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 7B:93:06:E0:34:58:F4:75:27:FC:4C:E9:5C:9A:CB:79
my server certificate
myserver-conf, Jul 21, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 21:6F:79:85:14:43:83:0C:96:A0:66:1E:8D:A7:49:F3
CA - certificate
myrootca, Jul 21, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 5A:11:C7:CF:62:7C:3C:46:F4:4D:C3:38:BE:64:9C:7B

And detailed view  of certificates :
 keytool -list -v -keystore mykeystore.jks

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries

SELF SIGNED CERTIFICATE
Alias name: server1-udb
Creation date: Jul 25, 2011
Entry type: trustedCertEntry
Owner: CN=OtherCompany, OU=., O=., L=., ST=., C=IT
Issuer: CN=OtherCompany, OU=., O=., L=., ST=., C=IT
Serial number: 0
Valid from: Thu Jul 17 12:32:08 CEST 2008 until: Sun Jul 15 12:32:08 CEST 2018
Certificate fingerprints:
         MD5:  7B:93:06:E0:34:58:F4:75:27:FC:4C:E9:5C:9A:CB:79
         SHA1: 57:F1:9E:D8:E6:8C:E0:47:A1:39:83:BD:AA:4A:E8:71:55:4D:3A:DB
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************

My SERVER CERTIFICATE (SIGNED By myrootCA)
Alias name: myserver-conf
Creation date: Jul 21, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 2Certificate[1]:
Owner: CN=myserver-conf, OU=myOU, O=CompanyO, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: 14a67
Valid from: Thu Jul 21 16:57:39 CEST 2011 until: Fri Jul 20 16:57:39 CEST 2012
Certificate fingerprints:
         MD5:  21:6F:79:85:14:43:83:0C:96:A0:66:1E:8D:A7:49:F3
         SHA1: 2F:70:2B:E8:8B:F1:D8:00:C6:45:71:9F:23:F7:30:08:92:87:B8:FE
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F9 10 15 9E A4 FB 1D ED   D2 17 0F F7 61 02 86 03  ............a...
0010: C2 11 36 FC                                        ..6.
]
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://mywebL]
]]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
#5: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]
#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0B 5B 2F E9 D1 F6 BB F7   AA 6B E5 89 75 5C ED ED  .[/......k..u\..
0010: A4 BD 26 23                                        ..&#
]
]
Certificate[2]:
Owner: CN=Company, OU=myOU, O=myorg, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: 1
Valid from: Wed Jan 05 15:12:14 CET 2005 until: Mon Jan 05 15:10:44 CET 2015
Certificate fingerprints:
         MD5:  46:9A:AA:1C:87:27:D4:D1:A2:F3:56:BB:4C:23:90:44
         SHA1: 55:FC:92:81:39:8A:42:1F:DC:94:62:BF:7A:42:56:CC:44:1D:45:4F
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 5B 2F E9 D1 F6 BB F7   AA 6B E5 89 75 5C ED ED  .[/......k..u\..
0010: A4 BD 26 23                                        ..&#
]
]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.76.12.1.1.4]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 23 68 74 74 70 73 3A   2F 2F 77 77 77 2E 74 69  .#https://www.ti
0010: 70 6B 69 2E 63 6F 6D 2F   50 72 69 76 61 74 65 43  pki.com/PrivateC
0020: 41 2F 43 50 53                                     A/CPS
]]  ]
]
*******************************************
*******************************************

MY CA CERTIFICATE
Alias name: myrootca
Creation date: Jul 21, 2011
Entry type: trustedCertEntry
Owner: CN=Company, OU=myOU, O=myorg, C=IT
Issuer: CN=Company, OU=myOU, O=myorg, C=IT
Serial number: d9e97f4c4c1f581a
Valid from: Tue Nov 09 17:51:18 CET 2010 until: Fri Nov 06 17:51:18 CET 2020
Certificate fingerprints:
         MD5:  5A:11:C7:CF:62:7C:3C:46:F4:4D:C3:38:BE:64:9C:7B
         SHA1: 1C:2D:8C:4F:18:D5:6F:4B:24:0D:88:2C:12:8D:04:7D:29:8D:56:30
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D6 0C 73 BD A7 0B 47 01   98 F5 A8 1E 6A 73 73 EF  ..s...G.....jss.
0010: F2 B1 E8 6C                                        ...l
]
]
#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

*******************************************
*******************************************

1 commento:

  1. Hi Can you tell me more clearly about public key and private key.
    >keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore2.jks -storepass password -validity 9360 -keysize 2048

    What is your first and last name?
    [Unknown]: CLARK
    What is the name of your organizational unit?
    [Unknown]: OO
    What is the name of your organization?
    [Unknown]: O
    What is the name of your City or Locality?
    [Unknown]: JUMO
    What is the name of your State or Province?
    [Unknown]: TU
    What is the two-letter country code for this unit?
    [Unknown]: PA
    Is CN=clark, OU=OO, O=O, L=jumo, ST=TU, C=PA correct?
    [no]: yes

    Enter key password for
    (RETURN if same as keystore password):

    From the above example, what is the PrivateKey and what is the PublicKey?? Please explain which part belongs PrivateKey and which part belongs PublicKey in above example?

    RispondiElimina