"keytool -genkeypair" - Generate Key with Self-Signed Certificate

PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool -genkeypair" - Generate Key with Self-Signed Certificate

This section provides a tutorial example on how to use the 'keytool -genkeypair' command to generate a new pair of keys with a self-signed certificate in a new KeyStore file.

In the first tutorial, I want to try the "-genkeypair" command option:

herong$ keytool -genkeypair -keyalg ec -alias my_home \
  -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  Herong Yang
What is the name of your organizational unit?
  [Unknown]:  .
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is <CN=Herong Yang, O=My Home, L=My City, ST=My State,
   C=US> correct?
  [no]:  yes

Generating 384 bit EC (secp384r1) key pair and self-signed 
certificate (SHA384withECDSA) with a validity of 90 days for: 
CN=Herong Yang, O=My Home, L=My City, ST=My State, C=US

Based on the documentation, the above example command should do the following for me:

Create a "keystore" file, herong.jks, with a password of "HerongJKS".
Generate a pair of EC private key and public key for me using the default implementation of the default security package.
Generate a self-signed certificate of my public key.
Insert a key entry into the keystore with my private/public key pair and the certificate.

Note that newer versions of "keytool" use PKCS12 as the default file format. When using the PKCS12 file format, "keytool" will encrypt the key pair with the same password as the KeyStore file.

When using the JKS file format, it will prompt you to enter a password to encrypt the new key pair. This allows the key pair to be protected with a different password than the KeyStore file.

herong$ keytool -genkeypair -keyalg ec -alias my_home \
  -keystore herong-jks.jks -storepass HerongJKS -storetype JKS

...
Enter key password for <my_home>
        (RETURN if same as keystore password):  My1stKey

The following command shows that we do have a key entry in the keystore file:

herong$ keytool -list -keystore herong.jks -storepass HerongJKS

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

my_home, Jul 1, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 72:23:53:A2:C7:1B:7C:65:DE:0A:...

Note that the "-genkeypair" command option used to be called "-genkey", which is still valid in JDK 21:

herong$ keytool -genkey -help
keytool -genkeypair [OPTION]...

Generates a key pair
...

Table of Contents

About This Book

Introduction of PKI (Public Key Infrastructure)

Introduction of PKI Certificate

PKI Certificate File Formats

OpenSSL - Cryptography Toolkit

"openssl ca" - CA (Certificate Authority) Tool

►Java "keytool" Commands and KeyStore Files

What Is Java KeyStore File?

"keytool" - Key and Certificate Management Tool

►"keytool -genkeypair" - Generate Key with Self-Signed Certificate

"keytool -export/import" - Export and Import Certificates

"keytool -keyclone" - Clone Self-Signed Certificate with New Identity

"keytool -certreq" - Generate CSR (Certificate Signing Request)

"keytool -gencert" - Sign CSR with CA certificate

"keytool -gencert -ext" - Sign CSR with X.509 Extensions

Export Key Pair using "keytool -importkeystore"

PKI Certificate Store

PKCS12 Certificate Bundle File

PKCS7 Certificate Chain File

PKI Certificate Related Terminology

References

Full Version in PDF/EPUB