Java Tool Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.12, 2006

JCA - Certificates, 'keytool' and 'keystore'

Part:   1   2  3 

Java Tool Tutorials

© 2006 Dr. Herong Yang

Latest updates:

  'javac' - The Java Compiler

  'java' - The Java Launcher

  'jdb' - The Java Debugger

  JAR File & 'jar' Tool

  Certificates and 'keytool'

  Installing J2SE 1.5.0

... Table of Contents

This chapter describes some parts of the JCA (Java Cryptography Architecture) which has been included in JDK since 1.1:

  • What is a certificate and a certificate chain?
  • What is "keystore"?
  • What are the functions offered by "keytool"?
  • Examples of using "keytool".

Certificates and Certificate Chains

Certificate: A digitally signed statement from the issuer saying that the public key of the subject has some specific value.

The above definition is copied from the JDK 1.3.1 documentation. It has a couple of important terms:

  • "signed statement" - The certificate must be signed by the issuer with a digital signature.
  • "issuer" - The person or organization who is issuing this certificate.
  • "public key" - The public key of a key pair selected by the subject.
  • "subject" - The person or organization who owns the public key.

X.509 Certificate - A certificate written in X.509 standard format. X.509 standard was introduction in 1988. It requires a certificate to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information.

How can you get a certificate for your own public key?

  • Requesting it from a Certificate Authority (CA), like VeriSign, Thawte or Entrust.
  • Doing it yourself - using tools like JDK "keytool" to generate a self-signed certificate.

Certificate Chain: A series of certificates that one certificate signs the public key of the issuer of the next certificate. Usually the top certificate (the first certificate) is self-signed, where issuer signed its own public key.

What is "keystore"?

"keystore" - A database used by JDK "keytool" command and KeyStore class to store your own private keys, and public key certificates you received from someone else. "keystore" supports the following features:

  • Two types of entries: key entries for private keys and certificate entries for public key certificates.
  • A key entry contains the private key and a certificate chain of the corresponding public key.
  • Every entry has a unique alias name.
  • Key entries are protected by separate passwords.
  • "keystore" may have different implementations from different security package providers. The default implementation from Sun is called JKS.

(Continued on next part...)

Part:   1   2  3 

Dr. Herong Yang, updated in 2006
Java Tool Tutorials - Herong's Tutorial Notes - JCA - Certificates, 'keytool' and 'keystore'