JDK Keytool 使用及理解

windows系统的根证书放置在注册表中：KEY_LOCAL_MACHINE-SOFTWARE-Microsoft-SystemCertificate-ROOT-Certificate

 

 java信任的根证书放置位置在：

 D:\Program Files\Java\jdk1.6.0_24\jre\lib\security\cacerts

 在此目录下用 keytool -list -keystore cacerts 显示所有证书，默认密码changeit

 

 导入操作系统的证书可以通过IE将操作系统中的root证书导出成.cer格式的文件，再通过keytool工具导入JDK的证书库：

 keytool -import -file oracle.cer -alias oracle

Enter keystore password:

...

 

 导入后通过证书指纹来验证下库中的证书：

 D:\Program Files\Java\jdk1.6.0_24\jre\lib\security>keytool -list -keystore cacerts|findstr DB:23

Enter keystore password:  changeit

Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83

 

keytool可以直接在命令行输出.cer证书的内容：

 keytool -printcert -file "oracle.cer"

 

keystore中有几种Entry，其

KeyStore.Entry

|-KeyStore.PrivateKeyEntry

|-KeyStore.TrustedCertificateEntry

|-KeyStore.SecretKeyEntry

 

PrivateKeyEntry保存私钥和对应的证书链。其实就是非对称算法的公钥和私钥。

TrustedCertificateEntry保存受信任的证书。

SecretKeyEntry保存一个SecretKey，其保存的是一个对称算法的密钥。

 

KeyStore有几种类型，常用的就是JKS，JCEKS。 JKS是keystore的默认类型，但这个类型只能存储公私钥和证书，如果还需要存储secret key，只能用JCEKS：

keytool -genseckey -alias seckey -keyalg DES -storetype jceks

查询时也要强制指定类型，因为默认类型是JKS：

keytool -list -storetype JCEKS

生成公钥对：

keytool -genkeypair -alias pubKey -keyalg "RSA" -storetype JCEKS

 

 Keytool 生成keypair的源码如下，如果自己想直接定制一个可以直接参考：

private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out)               throws Exception {                 Certificate signerCert = keyStore.getCertificate(alias);           byte[] encoded = signerCert.getEncoded();           X509CertImpl signerCertImpl = new X509CertImpl(encoded);           X509CertInfo signerCertInfo =(X509CertInfo)signerCertImpl.get(                X509CertImpl.NAME + "." + X509CertImpl.INFO);           X500Name issuer =(X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +           CertificateSubjectName.DN_NAME);              Date firstDate = getStartDate(startDate);           Date lastDate = new Date();           lastDate.setTime(firstDate.getTime() +validity*1000L*24L*60L*60L);           CertificateValidity interval = newCertificateValidity(firstDate,               lastDate);              PrivateKey privateKey =                   (PrivateKey)recoverKey(alias, storePass,keyPass).fst;           if (sigAlgName == null) {               sigAlgName =getCompatibleSigAlgName(privateKey.getAlgorithm());           }           Signature signature = Signature.getInstance(sigAlgName);           signature.initSign(privateKey);              X509CertInfo info = new X509CertInfo();           info.set(X509CertInfo.VALIDITY, interval);           info.set(X509CertInfo.SERIAL_NUMBER, newCertificateSerialNumber(                       new java.util.Random().nextInt() & 0x7fffffff));           info.set(X509CertInfo.VERSION,                       new CertificateVersion(CertificateVersion.V3));           info.set(X509CertInfo.ALGORITHM_ID,                       new CertificateAlgorithmId(                           AlgorithmId.getAlgorithmId(sigAlgName)));           info.set(X509CertInfo.ISSUER, newCertificateIssuerName(issuer));              BufferedReader reader = new BufferedReader(newInputStreamReader(in));           boolean canRead = false;           StringBuffer sb = new StringBuffer();           while (true) {               String s = reader.readLine();               if (s == null) break;               // OpenSSL does not use NEW               //if (s.startsWith("-----BEGIN NEW CERTIFICATEREQUEST-----")) {               if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST")>= 0) {                   canRead = true;               //} else if (s.startsWith("-----END NEW CERTIFICATEREQUEST-----")) {               } else if (s.startsWith("-----END") &&s.indexOf("REQUEST") >= 0) {                   break;               } else if (canRead) {                   sb.append(s);               }           }           byte[] rawReq = new BASE64Decoder().decodeBuffer(newString(sb));           PKCS10 req = new PKCS10(rawReq);              info.set(X509CertInfo.KEY, newCertificateX509Key(req.getSubjectPublicKeyInfo()));           info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(                   dname==null?req.getSubjectName():newX500Name(dname)));           CertificateExtensions reqex = null;           Iterator<PKCS10Attribute> attrs =req.getAttributes().getAttributes().iterator();           while (attrs.hasNext()) {               PKCS10Attribute attr = attrs.next();               if(attr.getAttributeId().equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) {                   reqex =(CertificateExtensions)attr.getAttributeValue();               }           }           CertificateExtensions ext = createV3Extensions(                   reqex,                   null,                   v3ext,                   req.getSubjectPublicKeyInfo(),                   signerCert.getPublicKey());           info.set(X509CertInfo.EXTENSIONS, ext);           X509CertImpl cert = new X509CertImpl(info);           cert.sign(privateKey, sigAlgName);           dumpCert(cert, out);           for (Certificate ca: keyStore.getCertificateChain(alias)) {               if (ca instanceof X509Certificate) {                   X509Certificate xca = (X509Certificate)ca;                   if (!isSelfSigned(xca)) {                       dumpCert(xca, out);                   }               }           }       }