CS 5523 Operating Systems
Generating Keys and Keystores

Generating a private/public key pair, along with a certificate.

The following generates a key pair and certificate and puts it in a new keystore called cs5523keys. The password for this keystore is cs5523. 

 keytool -genkey -alias kay -keyalg RSA -validity 365 -keystore cs5523keys
Enter keystore password:  cs5523
What is your first and last name?
  [Unknown]:  Kay A. Robbins
What is the name of your organizational unit?
  [Unknown]:  CS 5523
What is the name of your organization?
  [Unknown]:  University of Texas at San Antonio
What is the name of your City or Locality?
  [Unknown]:  San Antonio
What is the name of your State or Province?
  [Unknown]:  TX
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):
This is a certificate that has both a public/private key pair and a certificate.

Listing the contents of a keystore: 

 keytool -list -v -keystore cs5523keys
Enter keystore password:  cs5523

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: kay
Creation date: Apr 1, 2002
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Issuer: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Serial number: 3ca84aa0
Valid from: Mon Apr 01 05:55:12 CST 2002 until: Tue Apr 01 05:55:12 CST 2003
Certificate fingerprints:
         MD5:  56:3F:9F:F5:8F:BE:D1:AB:1D:34:55:2E:33:48:D5:9D
         SHA1: 86:05:4F:DB:CD:F7:57:03:52:37:CA:C8:81:32:9E:9F:76:9F:61:28


*******************************************
*******************************************
Note that kay has type keyEntry. It has both public-private keys and a certificate.

In the real-world, we would generate a Certificate Signing Request (CSR) for this certificate and send it to a trusted CA (Certificate Authority) such as Verisign. Since we don't want to pay any money, we are going to import our certificate into the list of trusted certificates for our programs...That is we will make kay a trusted certificate.

To export a self-signed certificate from a keystore: 

keytool -export -alias kay -keystore cs5523keys -rfc -file kay.cer
Enter keystore password:  cs5523
Certificate stored in file
The file kay.cer contains 
-----BEGIN CERTIFICATE-----
MIIChDCCAe0CBDyoSqAwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJU
WDEUMBIGA1UEBxMLU2FuIEFudG9uaW8xKzApBgNVBAoTIlVuaXZlcnNpdHkgb2YgVGV4YXMgYXQg
U2FuIEFudG9uaW8xEDAOBgNVBAsTB0NTIDU1MjMxFzAVBgNVBAMTDktheSBBLiBSb2JiaW5zMB4X
DTAyMDQwMTExNTUxMloXDTAzMDQwMTExNTUxMlowgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJU
WDEUMBIGA1UEBxMLU2FuIEFudG9uaW8xKzApBgNVBAoTIlVuaXZlcnNpdHkgb2YgVGV4YXMgYXQg
U2FuIEFudG9uaW8xEDAOBgNVBAsTB0NTIDU1MjMxFzAVBgNVBAMTDktheSBBLiBSb2JiaW5zMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ3qqTr+sbnHgVkKOXdyayWENUQpJotmbwEcEjM9bH
wa5ClG3awfGUPNJjd1f5m4FoEbwLAXWdbtvUG2hXBzc9ME7ban9HAYYYyRlmvPzFLNeLozfnHbon
DnMdRQtrQNKReqKA9weuXyWPAlQRQBHXsi/fkn8lXsinUihajU+XuwIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBAJCHz1nksQg7C//mxji2IOUzj+baQTFVPwyvUxpfMH2nBgeG+W75zk9vSiRDfgKMUvHd
iS35qjWAZ4/b/KNLYr4TdT35SXxEeCOhEw1D37GF+lICuMScWqZIrIVOfTgzcZ/OqfFnwEqF1KUD
HsSuhGgQy68cuAxNc7qnh2emNP+i
-----END CERTIFICATE-----

To add a certificate to a truststore: 

keytool -import -alias kaycer -file kay.cer -keystore cs5523certs
Enter keystore password:  trustme
Owner: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Issuer: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Serial number: 3ca84aa0
Valid from: Mon Apr 01 05:55:12 CST 2002 until: Tue Apr 01 05:55:12 CST 2003
Certificate fingerprints:
         MD5:  56:3F:9F:F5:8F:BE:D1:AB:1D:34:55:2E:33:48:D5:9D
         SHA1: 86:05:4F:DB:CD:F7:57:03:52:37:CA:C8:81:32:9E:9F:76:9F:61:28
Trust this certificate? [no]:  yes
Certificate was added to keystore

Getting a listing gives: 

keytool -list -v -keystore cs5523certs
Enter keystore password:  trustme

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: kaycer
Creation date: Apr 1, 2002
Entry type: trustedCertEntry

Owner: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Issuer: CN=Kay A. Robbins, OU=CS 5523, O=University of Texas at San Antonio, L=San Antonio, ST=TX, C=US
Serial number: 3ca84aa0
Valid from: Mon Apr 01 05:55:12 CST 2002 until: Tue Apr 01 05:55:12 CST 2003
Certificate fingerprints:
         MD5:  56:3F:9F:F5:8F:BE:D1:AB:1D:34:55:2E:33:48:D5:9D
         SHA1: 86:05:4F:DB:CD:F7:57:03:52:37:CA:C8:81:32:9E:9F:76:9F:61:28


*******************************************
*******************************************
Notice that kaycer is a trustedCertEntry. It has no keys.
Last revision: April 1, 2002 at 5:50 am