1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
|
NAME
keytool - manage private keys and public certificates
SYNOPSIS
keytool [COMMAND]...
DESCRIPTION
A Java-based tool for managing both Key Entries as well as Trusted
Certificates.
Multiple COMMANDs may be specified at once, each complete with its own
options. keytool will parse all the arguments, before processing, and
executing, each COMMAND. If an exception occurs while executing one
COMMAND keytool will abort.
A COMMAND can be one of the followings:
-genkey [OPTION]...
Generate a new Key Entry, eventually creating a new key store.
-import [OPTION]...
Add, to a key store, Key Entries (private keys and certificate
chains authenticating the public keys) and Trusted Certificates
(3rd party certificates which can be used as Trust anchors when
building chains-of-trust).
-selfcert [OPTION]...
Generate a new self-signed Trusted Certificate.
-identitydb [OPTION]...
NOT IMPLEMENTED YET.
Import a JDK 1.1 style Identity Database.
-certreq [OPTION]...
Issue a Certificate Signing Request (CSR) which can be then sent
to a Certification Authority (CA) to issue a certificate signed
(by the CA) and authenticating the Subject of the request.
-export [OPTION]...
Export a Certificate from a key store.
-list [OPTION]...
Print one or all Certificates in a key store to STDOUT.
-printcert [OPTION]...
Print a human-readable form of a Certificate in a designated
file to STDOUT.
-keyclone [OPTION]...
Clone a Key Entry in a key store.
-storepasswd [OPTION]...
Change the password protecting a key store.
-keypasswd [OPTION]...
Change the password protecting a Key Entry in a key store.
-delete [OPTION]...
Delete a Key Entry or a Trusted Certificate from a key store.
-help Display this text.
OPTIONS COMMON TO MORE THAN ONE COMMAND
The following OPTIONs are used in more than one COMMAND. They are
described here to reduce redundancy.
-alias ALIAS
Every entry, be it a Key Entry or a Trusted Certificate, in a
key store is uniquely identified by a user-defined Alias string.
Use this option to specify the Alias to use when referring to an
entry in the key store. Unless specified otherwise, a default
value of "mykey" (all lower case, without the enclosing quotes)
shall be used when this option is omitted from the command line.
-keyalg ALGORITHM
Use this option to specify the canonical name of the key-pair
generation algorithm. The default value for this option is
"DSS" (a synonym for the Digital Signature Algorithm also known
as DSA).
-keysize SIZE
Use this option to specify the number of bits of the shared
modulus (for both the public and private keys) to use when
generating new keys. A default value of 1024 will be used if
this option is omitted from the command line.
-validity DAY_COUNT
Use this option to specify the number of days a newly generated
certificate will be valid for. The default value is 90 (days)
if this option is omitted from the command line.
-storetype STORE_TYPE
Use this option to specify the type of the key store to use.
The default value, if this option is omitted, is that of the
property "keystore.type" in the security properties file, which
is obtained by invoking the static method call getDefaultType()
in java.security.KeyStore.
-storepass PASSWORD
Use this option to specify the password protecting the key
store. If this option is omitted from the command line, you
will be prompted to provide a password.
-keystore URL
Use this option to specify the location of the key store to use.
The default value is a file URL referencing the file named
".keystore" (all lower case and without the enclosing quotes)
located in the path returned by the call to
java.lang.System#getProperty(String) using "user.home" as
argument.
If a URL was specified, but was found to be malformed --e.g.
missing protocol element-- the tool will attempt to use the URL
value as a file-name (with absolute or relative path-name) of a
key store --as if the protocol was "file:".
-provider PROVIDER_CLASS_NAME
A fully qualified class name of a Security Provider to add to
the current list of Security Providers already installed in the
JVM in-use. If a provider class is specified with this option,
and was successfully added to the runtime --i.e. it was not
already installed-- then the tool will attempt to remove this
Security Provider before exiting.
-file FILE_NAME
Use this option to designate a file to use with a command. When
specified with this option, the value is expected to be the
fully qualified path of a file accessible by the File System.
Depending on the command, the file may be used as input or as
output. When this option is omitted from the command line,
STDIN will be used instead, as the source of input, and STDOUT
will be used instead as the output destination.
-v Unless specified otherwise, use this option to enable more
verbose output.
X.500 DISTINGUISHED NAME
A Distinguished Name (or DN) MUST be supplied with some of the COMMANDs
using a -dname option. The syntax of a valid value for this option MUST
follow RFC-2253 specifications. Namely the following components (with
their accepted meaning) will be recognized. Note that the component
name is case-insensitive:
CN The Common Name; e.g. "host.domain.com"
OU The Organizational Unit; e.g. "IT Department"
O The Organization Name; e.g. "The Sample Company"
L The Locality Name; e.g. "Sydney"
ST The State Name; e.g. "New South Wales"
C The 2-letter Country identifier; e.g. "AU"
When specified with a -dname option, each pair of component/value will
be separated from the other with a comma. Each component and value pair
MUST be separated by an equal sign. For example, the following is
a valid DN value:
CN=host.domain.com, O=The Sample Company, L=Sydney, ST=NSW, C=AU
If the Distinguished Name is required, and no valid default value can be
used, the tool will prompt you to enter the information through the
console.
-genkey COMMAND
Generate a new key-pair (both private and public keys), and save these
credentials in the key store as a Key Entry, associated with the
designated (if was specified in the -alias option) or default (if the
-alias option is omitted) Alias.
The private key material will be protected with a user-defined password
(see -keypass option). The public key on the other hand will be part
of a self-signed X.509 certificate, which will form a 1-element chain
and will be saved in the key store.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keyalg ALGORITHM
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keysize KEY_SIZE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-sigalg ALGORITHM
The canonical name of the digital signature algorithm to use for
signing certificates. If this option is omitted, a default
value will be chosen based on the type of the key-pair; i.e. the
algorithm that ends up being used by the -keyalg option. If the
key-pair generation algorithm is "DSA", the value for the
signature algorithm will be "SHA1withDSA". If on the other hand
the key-pair generation algorithm is "RSA", then the tool will
use "MD5withRSA" as the signature algorithm.
-dname NAME
This a mandatory value for the command. If no value is
specified --i.e. the -dname option is omitted-- the tool will
prompt you to enter a Distinguished Name to use as both the
Owner and Issuer of the generated self-signed certificate.
(see X.500 DISTINGUISHED NAME)
-keypass PASSWORD
Use this option to specify the password which the tool will use
to protect the newly created Key Entry.
If this option is omitted, you will be prompted to provide a
password.
-validity DAY_COUNT
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-import COMMAND
Read an X.509 certificate, or a PKCS#7 Certificate Reply from a
designated input source and incorporate the certificates into the key
store.
If the Alias does not already exist in the key store, the tool treats
the certificate read from the input source as a new Trusted Certificate.
It then attempts to discover a chain-of-trust, starting from that
certificate and ending at another Trusted Certificate, already stored in
the key store. If the -trustcacerts option is present, an additional
key store, of type "JKS" named "cacerts", and assumed to be present in
${JAVA_HOME}/lib/security will also be consulted if found --${JAVA_HOME}
refers to the location of an installed Java Runtime Environment (JRE).
If no chain-of-trust can be established, and unless the -noprompt option
has been specified, the certificate is printed to STDOUT and the user is
prompted for a confirmation.
If Alias exists in the key store, the tool will treat the certificate(s)
read from the input source as a Certificate Reply, which can be a chain
of certificates, that eventually would replace the chain of certificates
associated with the Key Entry of that Alias. The substitution of the
certificates only occurs if a chain-of-trust can be established between
the bottom certificate of the chain read from the input file and the
Trusted Certificates already present in the key store. Again, if the
-trustcacerts option is specified, additional Trusted Certificates in
the same "cacerts" key store will be considered. If no chain-of-trust
can be established, the operation will abort.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-file FILE_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keypass PASSWORD
Use this option to specify the password which the tool will use
to protect the Key Entry associated with the designated Alias,
when replacing this Alias' chain of certificates with that found
in the certificate reply.
If this option is omitted, and the chain-of-trust for the
certificate reply has been established, the tool will first
attempt to unlock the Key Entry using the same password
protecting the key store. If this fails, you will then be
prompted to provide a password.
-noprompt
Use this option to prevent the tool from prompting the user.
-trustcacerts
Use this option to indicate to the tool that a key store, of
type "JKS", named "cacerts", and usually located in lib/security
in an installed Java Runtime Environment should be considered
when trying to establish chain-of-trusts.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-selfcert COMMAND
Generate a self-signed X.509 version 1 certificate. The newly generated
certificate will form a chain of one element which will replace the
previous chain associated with the designated Alias (if -alias option
was specified), or the default Alias (if -alias option was omitted).
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-sigalg ALGORITHM
The canonical name of the digital signature algorithm to use for
signing the certificate. If this option is omitted, a default
value will be chosen based on the type of the private key
associated with the designated Alias. If the private key is a
"DSA" one, the value for the signature algorithm will be
"SHA1withDSA". If on the other hand the private key is an "RSA"
one, then the tool will use "MD5withRSA" as the signature
algorithm.
-dname NAME
Use this option to specify the Distinguished Name of the newly
generated self-signed certificate. If this option is omitted,
the existing Distinguished Name of the base certificate in the
chain associated with the designated Alias will be used instead.
(see X.500 DISTINGUISHED NAME)
-validity DAY_COUNT
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keypass PASSWORD
Use this option to specify the password which the tool will use
to unlock the Key Entry associated with the designated Alias.
If this option is omitted, the tool will first attempt to unlock
the Key Entry using the same password protecting the key store.
If this fails, you will then be prompted to provide a password.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-identitydb COMMAND
NOT IMPLEMENTED YET.
Import a JDK 1.1 style Identity Database.
-file FILE_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-certreq COMMAND
Generate a PKCS#10 Certificate Signing Request (CSR) and writes it to
a designated output destination. The contents of the destination
should look something like the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICYTCCAiECAQAwXzEUMBIGA1UEAwwLcnNuQGdudS5vcmcxGzAZBgNVBAoMElUg
Q29tcGFueTEPMA0GA1UEBwwGU3lkbmV5MQwwCgYDVQQIDANOU1cxCzAJBgNVBACC
...
FCTlKlok8KwGuIVwNVOfQLRX+O5kAhQ/a4RTZme2L8PnpvgRwrf7Eg8D6w==
-----END NEW CERTIFICATE REQUEST-----
IMPORTANT: Some documentation (e.g. RSA examples) claims that the
Attributes field, in the CSR is OPTIONAL while RFC-2986 implies the
opposite. This implementation considers this field, by default, as
OPTIONAL, unless the option -attributes is specified on the command
line.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-sigalg ALGORITHM
The canonical name of the digital signature algorithm to use for
signing the certificate. If this option is omitted, a default
value will be chosen based on the type of the private key
associated with the designated Alias. If the private key is a
"DSA" one, the value for the signature algorithm will be
"SHA1withDSA". If on the other hand the private key is an "RSA"
one, then the tool will use "MD5withRSA" as the signature
algorithm.
-file FILE_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keypass PASSWORD
Use this option to specify the password which the tool will use
to unlock the Key Entry associated with the designated Alias.
If this option is omitted, the tool will first attempt to unlock
the Key Entry using the same password protecting the key store.
If this fails, you will then be prompted to provide a password.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-attributes
Use this option to force the tool to encode a NULL DER value in
the CSR as the value of the Attributes field.
-export COMMAND
Export a certificate stored in the key store to a designated output
destination, either in binary format (if the -v option is specified),
or in RFC-1421 compliant encoding (if the -rfc option is specified
instead).
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-file FILE_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-rfc Use RFC-1421 specifications when encoding the output.
-v Output the certificate in binary DER encoding. This is the
default output format of the command if neither -rfc nor -v
options were detected on the command line. If both this option
and the -rfc option are detected on the command line, the tool
will opt for the RFC-1421 style encoding.
-list COMMAND
Print one or all of the key store entries to STDOUT. Usually this
command will only print a fingerprint of the certificate, unless either
the -rfc or the -v option is specified.
-alias ALIAS
If this option is omitted, the tool will print ALL the entries
found in the key store.
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-rfc Use RFC-1421 specifications when encoding the output.
-v Output the certificate in human-readable format. If both this
option and the -rfc option are detected on the command line,
the tool will opt for the human-readable form and will not
abort the command.
-printcert COMMAND
Read a certificate from a designated input source and print it to STDOUT
in a human-readable form.
-file FILE_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keyclone COMMAND
Clone an existing Key Entry and store it under a new (different) Alias
protecting, its private key material with possibly a new password.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-dest ALIAS
Use this option to specify the new Alias which will be used to
identify the cloned copy of the Key Entry.
-keypass PASSWORD
Use this option to specify the password which the tool will use
to unlock the Key Entry associated with the designated Alias.
If this option is omitted, the tool will first attempt to unlock
the Key Entry using the same password protecting the key store.
If this fails, you will then be prompted to provide a password.
-new PASSWORD
Use this option to specify the password protecting the private
key material of the newly cloned copy of the Key Entry.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepasswd COMMAND
Change the password protecting a key store.
-new PASSWORD
The new, and different, password which will be used to protect
the designated key store.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keypasswd COMMAND
Change the password protecting the private key material of a designated
Key Entry.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keypass PASSWORD
Use this option to specify the password which the tool will use
to unlock the Key Entry associated with the designated Alias.
If this option is omitted, the tool will first attempt to unlock
the Key Entry using the same password protecting the key store.
If this fails, you will then be prompted to provide a password.
-new PASSWORD
The new, and different, password which will be used to protect
the private key material of the designated Key Entry.
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-delete COMMAND
Delete a designated key store entry.
-alias ALIAS
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storetype STORE_TYPE
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-keystore URL
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-storepass PASSWORD
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-provider PROVIDER_CLASS_NAME
(see OPTIONS COMMON TO MORE THAN ONE COMMAND)
-v (see OPTIONS COMMON TO MORE THAN ONE COMMAND)
REPORTING BUGS
Please report bugs at http://www.gnu.org/software/classpath/bugs.html
COPYRIGHT
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
|