Cryptography Tutorials - Herong's Tutorial Examples - Version 5.36, by Dr. Herong Yang
"keytool" Importing CA's Own Certificate
This section provides a tutorial example on how to import CA's certificate generated by 'OpenSSL' into a 'keystore' file using 'keytool'
When Maria receives my CA self-signed public key certificate file, she needs to imported it into her keystore file with the "keytool -importcert" command as shown below:
>keytool -importcert -alias herong_crt -keypass keypass -file herong.crt -keystore maria.jks -storepass jkspass Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY Serial number: 0 Valid from: Sun Apr 1:42:10 EDT 2007 until: Wed Mar 29 23:42:10 EDT 2017 Certificate fingerprints: MD5: 2D:95:8D:5F:0F:4A:9B:CC:A2:69:61:F6:22:AE... SHA1: 1F:BB:C7:78:97:AC:C8:BF:7B:A4:88:DF:B5:62... Signature algorithm name: MD5withRSA Version: 3 Extensions: #1: ObjectId: 220.127.116.11 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ ... [EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY] SerialNumber: [ 00] ] Trust this certificate? [no]: yes Certificate was added to keystore
Notes on what Maria did:
Want to see if the certificate was imported correctly or not? Try this "keytool -list" command:
>keytool -list -keystore maria.jks -storepass jkspass Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries maria_key, Apr 1, 2007, PrivateKeyEntry, Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C... herong_crt, Apr 1, 2007, trustedCertEntry, Certificate fingerprint (MD5): C1:6C:FE:38:F7:0F:71:23:3...
As we can see, my CA certificate was imported ok and stored as a "trustedCertEntry". So certificates generated by "OpenSSL" is compatible with "keytool" certificate format.
If Maria made a mistake when import my certificate, she could use this command to delete my certificate from her keystore file:
>keytool -delete -alias herong_crt -keystore maria.jks -storepass jkspass
Now Maria is ready to import her own public key certificate signed by me as described in the next section.
Last update: 2013.
Table of Contents