[TOC]

1 简介

keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
A certificate is a digitally signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. (See Certificates.) When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

keytool also enables users to administer secret keys used in symmetric encryption/decryption (e.g. DES).

keytool stores the keys and certificates in a keystore.

通过以上官方文档中的一部分内容,我们可以了解到:

  • keytool是一个秘钥和证书的管理工具
  • keytool可以用于管理对称加密和非对称加密
  • keytool将秘钥和证书存储在keystore中

2 命令格式

2.1 几点说明

  • 所有的命令和选项都以减号(-)打头
  • 命令的选项可以以任意的位置出现
  • 选项的值中如果有空白字符,必须用引号引起来
  • -help命令是默认的命令,所以keytoolkeytool -help是一样的

2.2 命令列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@hylexus ~]# keytool 
Key and Certificate Management Tool
Commands:
 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore
Use "keytool -command_name -help" for usage of command_name

2.3 一些选项的默认值

  • -alias “mykey”
  • -keyalg
    • “DSA” (使用 -genkeypair的时候)
    • “DES” (使用 -genseckey)的时候
  • -keysize
    • 1024(当使用 -genkeypair的时候)
    • 56 (当使用 -genseckey 并且 -keyalg 为 “DES”的时候)
    • 168 (当使用 -genseckey 并且 -keyalg 为 “DESede”的时候)
  • -validity 90
  • -keystore 用户家目录下名为.keystore的文件
  • -file
    • 读的时候为stdin
    • 写的时候为stdout
  • -protected false

3 使用示例

3.1 生成秘钥对儿/自签署证书

创建密钥对的时候,同时就创建了一个自签署的证书

1
keytool -genkeypair -alias tomcat -keyalg rsa -keysize 2048 -validity 365 -keystore /soft/tomcat7-80/conf/keystore

解释如下:

1
2
3
4
5
6
7
keytool \
	-genkeypair \ # 生成秘钥对儿
	-alias tomcat \ # 名称
	-keyalg rsa \ # 算法名称
	-keysize 2048 \# 长度
	-validity 365 \# 有效期
	-keystore /soft/tomcat7-80/conf/keystore # 存储位置

3.2 生成CSR

CSR即Certificate Signing Request,证书颁发请求。

1
keytool -certreq -keyalg rsa -alias tomcat -file /soft/tomcat7-80/conf/tomcat.csr -keystore /soft/tomcat7-80/conf/keystore

解释如下:

1
2
3
4
5
6
keytool -certreq \ # 创建CSR命令
	-keyalg rsa \ # 加密算法
	-alias tomcat \ #在可以store中存储的别名
	-file /soft/tomcat7-80/conf/tomcat.csr \ # 输出文件位置
	 #指定keystore的位置,默认为用户家目录下的.keystore文件
	-keystore /soft/tomcat7-80/conf/keystore

3.3 导出证书

1
keytool -exportcert -file /soft/tomcat7-80/conf/server.crt -alias tomcat -keystore /soft/tomcat7-80/conf/keystore

解释如下:

1
2
3
4
5
6
7
keytool -exportcert \ 导出命令
	# 导出到哪里?
	-file /soft/tomcat7-80/conf/server.crt \
	# 导出哪个?
	-alias tomcat \
	# 从哪个keystore中导出?默认为用户家目录~/.keystore文件
	-keystore /soft/tomcat7-80/conf/keystore

3.4 导入证书

1
keytool -importcert -file /soft/tomcat7-80/conf/server.crt -alias myCA -keystore /soft/tomcat7-80/conf/keystore -trustcacerts

解释如下:

1
2
3
4
5
6
7
8
keytool -importcert \ # 导入命令
	# 从哪里导入?
	-file /soft/tomcat7-80/conf/server.crt \
	# 起别名
	-alias myCA \
	# 使用哪个keystore?
	-keystore /soft/tomcat7-80/conf/keystore \
	-trustcacerts

3.5 列出keystore中存储的内容

1
2
3
4
5
keytool -list
keytool -list -keystore /soft/tomcat7-80/conf/keystore 
keytool -list -keystore /soft/tomcat7-80/conf/keystore -alias tomcat

解释如下:

1
2
3
keytool -list \ # list命令
	# 使用哪个keystore?
	-keystore /soft/tomcat7-80/conf/keystore

3.6 导入现成的私钥和证书到keystore

看看这个来自stackoverflow的截图:

stackoverflow

貌似keytool并不提供或说是不直接提供方法导入私钥。

不过可以绕绕,最终借助于openssl来解决:

http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i

http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore

http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

来自stackoverflow的解决方案

1
2
3
4
5
# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

以后有时间在补齐其他命令的使用吧……

参考文章

http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore