JCA - Certificates, 'keytool' and 'keystore'
Part:
1
2
3
This chapter describes some parts of the JCA (Java Cryptography Architecture)
which has been included in JDK since 1.1:
- What is a certificate and a certificate chain?
- What is "keystore"?
- What are the functions offered by "keytool"?
- Examples of using "keytool".
Certificates and Certificate Chains
Certificate: A digitally signed statement from the issuer saying
that the public key of the subject has some specific value.
The above definition is copied from the JDK 1.3.1 documentation. It has
a couple of important terms:
- "signed statement" - The certificate must be signed by the issuer with
a digital signature.
- "issuer" - The person or organization who is issuing this certificate.
- "public key" - The public key of a key pair selected by the subject.
- "subject" - The person or organization who owns the public key.
X.509 Certificate - A certificate written in X.509 standard format.
X.509 standard was introduction in 1988. It requires a certificate to have
the following information:
- Version - X.509 standard version number.
- Serial Number - A sequence number given to each certificate.
- Signature Algorithm Identifier - Name of the algorithm used
to sign this certificate by the issuer
- Issuer Name - Name of the issuer.
- Validity Period - Period during which this certificate is valid.
- Subject Name - Name of the owner of the public key.
- Subject Public Key Information - The public key and its related information.
How can you get a certificate for your own public key?
- Requesting it from a Certificate Authority (CA), like VeriSign, Thawte or Entrust.
- Doing it yourself - using tools like JDK "keytool" to generate a self-signed certificate.
Certificate Chain: A series of certificates that one certificate signs the
public key of the issuer of the next certificate. Usually the top certificate
(the first certificate) is self-signed, where issuer signed its own public key.
What is "keystore"?
"keystore" - A database used by JDK "keytool" command and KeyStore class to store your own private keys,
and public key certificates you received from someone else. "keystore" supports
the following features:
- Two types of entries: key entries for private keys and certificate entries for
public key certificates.
- A key entry contains the private key and a certificate chain of the corresponding
public key.
- Every entry has a unique alias name.
- Key entries are protected by separate passwords.
- "keystore" may have different implementations from different security package providers.
The default implementation from Sun is called JKS.
(Continued on next part...)
Part:
1
2
3
|