by Anish
Posted on Saturday September 29, 2018
This sample chapter extracted from the book, The Modern Cryptograhy CookBook . The Book theme isCryptography is for EveryOne. Learn from Crypto Principle to Applied Cryptography With Practical Example
Get this book on Just $9 by availing coupon discount
keytool is a key and certificate management utility, keytool stores the keys and certificates in a keystore.
Option Defaults
-alias "mykey"
-keyalg
"DSA" (when using -genkeypair)
"DES" (when using -genseckey)
-keysize
2048 (when using -genkeypair and -keyalg is "RSA")
1024 (when using -genkeypair and -keyalg is "DSA")
256 (when using -genkeypair and -keyalg is "EC")
56 (when using -genseckey and -keyalg is "DES")
168 (when using -genseckey and -keyalg is "DESede")
-validity 90
-keystore the file named .keystore in the user’s home directory
-file stdin if reading, stdout if writing
-protected false
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
keytool -genkey -alias mydomain1 -keyalg DSA -keystore keystore.jks -keysize 2048
keytool -genkey -alias mydomain3 -keyalg EC -keystore keystore.jks -keysize 256
Alternatively storepass can be passed
keytool -genkey -keyalg RSA -alias domain1 -keystore keystore.jks -storepass hello123 -validity 360 -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file 8gwifi.csr
This will generate a new CSR pem encoded begins with -----BEGIN NEW CERTIFICATE REQUEST-----
ends -----END NEW CERTIFICATE REQUEST-----
The keytool -list
prints the contents of the keystore entry identified by alias. If no alias is specified, the contents of the entire keystore are printed.
keytool -list -keystore keystore.jks
Enter keystore password:
This will list out all certificate finger print added in the keystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
mydomain3, Aug 1, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 65:9A:6F:43:2C:10:E7:56:4C:EF:B7:70:0B:3D:A8:66:41:DA:5B:22
mydomain1, Aug 1, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): DB:3E:30:83:C8:FD:E3:A5:28:BB:0B:D7:3B:FD:ED:B2:9B:75:46:37
mydomain, Aug 1, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): C5:A4:D7:24:10:70:FA:4C:57:36:1C:32:A6:AE:BA:2A:72:A6:33:DB
verbose option check
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using -alias
option
keytool -list -v -keystore keystore.jks -alias mydomain
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file rootCA.pem -keystore keystore.jks
Enter keystore password:
Owner: CN=8gwifi.org, OU=Cryptography, O=8gwifi, L=IN, ST=BLR, C=IN
Issuer: CN=8gwifi.org, OU=Cryptography, O=8gwifi, L=IN, ST=BLR, C=IN
Serial number: c12f5c50dd458faf
Valid from: Wed Aug 01 09:37:03 IST 2018 until: Fri May 21 09:37:03 IST 2021
Certificate fingerprints:
MD5: B9:88:92:11:11:ED:74:B6:D1:92:DB:61:07:60:34:B3
SHA1: 00:E7:41:90:9F:3E:1D:DA:B0:C0:18:6B:C2:34:E7:71:38:B7:57:3C
SHA256: 68:D4:CA:2B:23:0E:7B:EB:A6:C3:AE:FB:57:B9:A4:A3:F0:E3:FA:33:53:E9:89:99:4E:3A:18:F2:26:8C:52:BF
Signature algorithm name: SHA256withRSA
Version: 3
Import a primary certificate to an existing Java keystore, The procedure is same for importing Certificate/intermediateCA/rootCA
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
Import CA into Trusted Certs $JAVA_HOME/jre/lib/security/cacerts
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
Change format from cert.crt from PEM (----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
) to DER
openssl x509 -in cert.crt -inform PEM -out cert.der -outform DER
Create KeyStore keystore.jks for your domain ("alias" in keytool, "common name" or CN in openssl req)
keytool -import -trustcacerts -alias 8gwifi -file cert.der -keystore keystore.jks
Convert the certificate and private key to PKCS 12 (.p12)
openssl pkcs12 -export -in rootCA.pem -inkey rootCA.key -out my.p12
Enter pass phrase for rootCA.key:
Enter Export Password:
Verifying - Enter Export Password:
Then add the my.p12 in the key store
$ keytool -v -importkeystore -srckeystore my.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Enter destination keystore password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.jks]
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
Enter keystore password:
Certificate stored in file <mydomain.crt>
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
The output
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 490e614f
Valid from: Wed Aug 01 09:23:55 IST 2018 until: Tue Oct 30 09:23:55 IST 2018
Certificate fingerprints:
MD5: 99:BC:8E:3B:54:AC:69:0E:FC:44:6F:5D:FC:5D:B5:2B
SHA1: C5:A4:D7:24:10:70:FA:4C:57:36:1C:32:A6:AE:BA:2A:72:A6:33:DB
SHA256: 9E:22:F6:1F:78:BD:A7:01:35:26:DF:01:DE:85:4E:63:27:63:0C:E8:69:6F:39:2D:37:65:F7:77:4A:57:04:11
Signature algorithm name: SHA256withRSA
Version: 3
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain2 -keystore keystore.jks
keytool -storepasswd -new new_storepass -keystore keystore.jks
Android related kyetool
command used for debug and troubleshooting, though keytool is agnostic to platform (android or linux env) and it’s a cert and key managed tool, this section will help android user to locate and troubleshoot android keytsore which is present in apk file
keystore | Description |
---|---|
-keystore | debug.keystore |
-storepass | mykeystorepassword |
-alias | myalias |
-keypass | myandroidpass |
-keyalg | RSA |
-dname | C=US, O=Android, CN=Android Debug |
keytool -genkey -v -keystore my.keystore -storepass mykeystorepassword -alias myalias -keypass myandroid -keyalg RSA -keysize 2048 -validity 10000 -dname "C=US, O=Android, CN=Android Debug"
This will generate debug.keystore
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
for: C=US, O=Android, CN=Android Debug
[Storing my.keystore]
Similar process will go to create release.keystore with CN name Modification
To get the keystore certificate fingerprints of a given alias you can do:
keytool -list -v -keystore [keystore path] -alias [alias-name] -storepass [storepass] -keypass [keypass]
The certificate fingerprints
$ keytool -list -v -keystore debug.keystore -alias myalias -storepass mykeystorepassword -keypass myandroid
Alias name: myalias
Creation date: Aug 1, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 3ca33a60
Valid from: Wed Aug 01 08:24:42 IST 2018 until: Sun Dec 17 08:24:42 IST 2045
Certificate fingerprints:
MD5: 57:C6:C5:06:1C:29:69:9E:EF:E0:A4:35:3A:3F:37:ED
SHA1: D1:FC:1A:52:BA:43:AE:D0:42:46:22:A5:3F:38:10:D7:7B:BB:05:B5
SHA256: C3:B2:F7:35:24:C1:51:C7:DD:DB:9F:54:BA:B4:D4:8D:2C:EC:A7:2B:04:40:1A:54:A5:B8:4C:35:33:14:34:78
Signature algorithm name: SHA256withRSA
Version: 3
if you don’t know the alias name list down your keystore
$ keytool -list -v -keystore debug.keystore
Enter keystore password:
keytool -list -printcert -jarfile application.apk
Using jarsigner
jarsigner -verify -verbose -certs application.apk
jarsigner -verify -verbose:summary -certs application.apk
find out which keystore was used to sign an app?
Unzip apk
Get MD5 and SHA1 of certificate of APK:
$ keytool -printcert -file ./META-INF/ANDROID_.RSA
Get MD5 and SHA1 of keystore:
$ keytool -list -keystore signing-key.keystore
Compare MD5/SHA1 and if they are the same, so the APK was signed with signing-key.keystore.
$ keytool -exportcert -alias myalias -keystore debug.keystore -file path_to_certificate_file
Enter keystore password:
Certificate stored in file <path_to_certificate_file>
Thanku for reading !!! Give a Share for Support
Instead of directly asking for donations, I'm thrilled to offer you all nine of my books for just $9 on leanpub By grabbing this bundle you not only help cover my coffee, beer, and Amazon bills but also play a crucial role in advancing and refining this project. Your contribution is indispensable, and I'm genuinely grateful for your involvement in this journey!
Any private key value that you enter or we generate is not stored on this site, this tool is provided via an HTTPS URL to ensure that private keys cannot be stolen, for extra security run this software on your network, no cloud dependency