keytool:
Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.
Reference:
- How to create a certificate chain using keytool?
- keytool
- KeyStore
- JKS
- To Generate a Certificate by Using keytool
Keystore:
A KeyStore manages different types of entries. Each type of entry implements the KeyStore.Entry interface. Three basic KeyStore.Entry implementations are provided:
1. KeyStore.PrivateKeyEntry:
This type of entry holds a cryptographic PrivateKey, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a certificate chain for the corresponding public key.
Private keys and certificate chains are used by a given entity for self-authentication. Applications for this authentication include software distribution organizations which sign JAR files as part of releasing and/or licensing software.
Constructs a PrivateKeyEntry with a PrivateKey and corresponding certificate chain.
2. KeyStore.SecretKeyEntry:
This type of entry holds a cryptographic SecretKey, which is optionally stored in a protected format to prevent unauthorized access.
Constructs a SecretKeyEntry with a SecretKey.
3. KeyStore.TrustedCertificateEntry:
This type of entry contains a single public key Certificate belonging to another party. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate.
Constructs a TrustedCertificateEntry with a trusted Certificate.
JKS:
This is an implementation of Sun's proprietary key store algorithm, called "JKS" for "Java Key Store". This implementation was created entirely through reverse-engineering.
The format of JKS files is, from the start of the file:
1. Magic bytes. This is a four-byte integer, in big-endian byte order, equal to 0xFEEDFEED.
2. The version number (probably), as a four-byte integer (all multibyte integral types are in big-endian byte order). The current version number (in modern distributions of the JDK) is 2.
3. The number of entrires in this keystore, as a four-byte integer. Call this value n
4. Then, n times:
a. The entry type, a four-byte int. The value 1 denotes a private key entry, and 2 denotes a trusted certificate.
b. The entry's alias, formatted as strings such as those written by DataOutput.writeUTF(String).
c. An eight-byte integer, representing the entry's creation date, in milliseconds since the epoch.
Then, if the entry is a private key entry:
I. The size of the encoded key as a four-byte int, then that number of bytes. The encoded key is the DER encoded bytes of the EncryptedPrivateKeyInfo structure (the encryption algorithm is discussed later).
II. A four-byte integer, followed by that many encoded certificates, encoded as described in the trusted certificates section.
Otherwise, the entry is a trusted certificate, which is encoded as the name of the
encoding algorithm (e.g. X.509), encoded the same way as alias names. Then, a four-byte
integer representing the size of the encoded certificate, then that many bytes
representing the encoded certificate (e.g. the DER bytes in the case of X.509).
5. Then, the signature.
Example:
...