-genkey creates a default file ".keystore" in the user's home directory, and will also generate an alias for mykey, which contains the user's public key, private key and certificate.
-alias generates an alias
-keystore Specifies the name of the keystore (the various information generated will not be in the .keystore file
-keyalg Algorithm for specifying key
-validity Specifies how many days the certificate is valid for the created certificate
-keysize Specify the key length
-storepass Specify the password for the keystore
-keypass Specify the password for the alias entry
-dname Specify the certificate owner information for example: "CN=sagely,OU=atr,O=szu,L=sz,ST=gd,C=cn"
-list Displays the certificate information in the keystore keytool -list -v -keystore sage -storepass ....
-v Display certificate details in the keystore
-export Export the certificate specified by the alias to the file keytool -export -alias caroot -file caroot.crt
-file parameter specifies the file name exported to the file
-delete Delete an entry in the keystore keytool -delete -alias sage -keystore sage
-keypasswd Modify the password specified in the keystore keytool -keypasswd -alias sage -keypass .... -new .... -storepass ... -keystore sage
-import Import signed digital certificates into keystore keytool -import -alias sage -keystore sagely -file sagely.crt
After importing signed digital certificates, you can obviously find that there is an additional authentication chain length and print out the entire CA chain.
keytool JAVA is a key and certificate management tool. It enables users to manage their own public/private key pairs and related certificates for (via digital signature) self-authentication (user authenticates itself to other users/services) or data integrity and authentication services. It also allows users to store the public key (in certificate form) of their communication peers. Check its usage through keytool help. For details, please refer to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
Creating a certificate keytool.exe in Java (located in the JDK/Bin directory) can be used to create digital certificates. All digital certificates are stored in the certificate library in the form of alias (differentiated by alias). One in the certificate library The certificate contains the information of the private key, public key and corresponding digital certificate of the certificate. A certificate in the certificate library can export a digital certificate file. The digital certificate file only includes the principal information and the corresponding public key.
Each certificate library is composed of a file that has an access password. When created for the first time, it will automatically generate the certificate library and require a password to access the certificate library.
When creating a certificate, you need to fill in some information about the certificate and the private key password corresponding to the certificate. These information include CN=xx,OU=xx,O=xx,L=xx,ST=xx,C=xx, and their meaning is:
? CN (Common Name - First Name and Last Name): In fact, this "Name and Last Name" should be a domain name, such as localhost or blog.devep.net. If the name is lost, it does not match the domain name when it is actually running, and there will be problems. When accessing the browser, a dialog box pops up, prompting "The name on the security certificate is invalid, or does not match the site name". The user chooses to continue or browse the web page. However, when writing program access with http client, an exception similar to "javax.servlet.ServletException: HTTPS hostname wrong: should be" will be thrown.
? OU (Organization Unit - Organization Unit Name)
? O (Organization - Organization Name)
? L (Locality - city or region name)
? ST (State - state or province name)
? C (Country - Country name)
You can use interactively to let the tool prompts enter the above information, or you can use parameters such as: -dname "CN=xx,OU=xx,O=xx,L=xx,ST=xx,C=xx" to automatically create.
Create a certificate
Specify the certificate library to be D:/keystore/test, create a certificate with the alias Tomcat, which specifies that it is generated using the RSA algorithm, and the specified key length is 1024, and the certificate is valid for 1 year:
keytool -genkey -alias Tomcat -keyalg RSA -keysize 1024 -keystore C:/keystore/test -validity 365
Use the following command to display certificates in the certificate library: keytool -list -keystore C:/keystore/test will display all certificate lists of the C:/keystore/test certificate library.
Export to certificate file
Use the command: keytool -export -alias Tomcat -file C:/keystore/TC.cer -keystore C:/keystore/test will export the certificate with the alias Tomcat in the certificate library C:/keystore/test to the TC.cer certificate In the file, it contains the information of the certificate subject and the public key of the certificate, and does not include the private key, and can be disclosed.
The exported certificate file is a binary coded file and cannot be displayed correctly with a text editor. You can add the -rfc parameter to output it in a printable editor encoding. like:
keytool -export -alias Tomcat -file C:/keystore/TC.cer -keystore C:/keystore/test rfc
View certificate information
The information of the certificate file can be viewed through the command: keytool -printcert -file D:/keystore/TC.cer. You can also double-click the generated certificate file in Windows Explorer to view it directly.
Delete entries in the keystore
keytool -delete -alias Tomcat -keystore C:/keystore/test
This command deletes the Tomcat certificate in the C:/keystore/test library.
Modify the certificate entry password
keytool -keypasswd -alias Tomcat -keystore C:/keystore/test, you can interactively modify the certificate of the entry in the C:/keystore/test certificate library to Tomcat.
Keytool -keypasswd -alias Tomcat -keypass oldpasswd -new newpasswd -storepass storepasswd -keystore C:/keystore/test This line command modifies the password of the certificate alias Tomcat in the library as the new password newpasswd, the oldpasswd refers to the original password of the certificate, and storepasswd refers to the password of the certificate library.