1

I need a clarification\confirm for keytool and Keys in general.

Many many sites show this is the way to obtain a keystore with a certificate:

keytool -genkey -keyalg RSA -alias my-certificate -keystore mykeystore.jks -validity 3600 -keysize 2048

And if u export it your can clearly see:

-----BEGIN CERTIFICATE-----
MIICVjCCAb8CCAogFQkp...
...rI7KvuXHX2JWNYLdBvC8V6aXAiIb
OaSAB3DoscgOqDh58bw5vEFwjxVo...
-----END CERTIFICATE-----

So this is a certificate indeed. But from this can be extracted only public key. So we can say that a certificate is Secret key?

On the other hand with keytool command:

-genkeypair

generates a key pair (a public key and a private key). Private for the server and public for the others. So basically certificate\secret key isn't the same as private key? Both methods get public so basically a certificate is a private key?

Black.Jack
  • 1,878
  • 2
  • 22
  • 39

2 Answers2

0

In short keystore contains key pairs, and a key pair consists of a public and a private key. So keytool creates both.

What you call certificate is public key, since private keys is highly confidential to your application server, it should not be transfered insecurely, if possible it is not transfered at all. Which means you should create a keystore in the application server and from that keystore you should extract public key. And after it is signed by a certificate authority, it should be added to keystore to create a keychain.

A much detailed answer can be found in here

Murat Güvenç
  • 111
  • 1
  • 5
0

keytool creates two keys, a private key, which you use for signing, encrypting, decrypting, i.e. anything that needs to be traced back to you. In order to trace something back to you, to validate your 'identity' you give others your public key certificate. This wraps your public key with identity information. If it's a self signed public key certificate then you are saying you are, for example, ServerA but no-one can really verify you're ServerA as ServerA is claiming it's ServerA. To fix this, you export a Certificate Signing Request (CSR) from your keystore and send it to, e.g. Verisign who validate you are ServerA and then they sign the certificate. What you end up with is a public key certificate saying you are ServerA and that claim is signed by Verisign using their private key and just about every entity out there has the Verisign public key certificate so they can verify Verisign's signature which means they then trust you as ServerA. You then distribute your public key certificate and everyone can encrypt messages to you, knowing that you are indeed ServerA, because of the root signature from Verisign.

codebrane
  • 4,290
  • 2
  • 18
  • 27