java security questions

http://www.exampledepot.com/egs/java.security.cert/CreateCert.html

heading says "Creating a New Key Pair and Self-Signed Certificate Using keytool"

i read the code .

few questions :

a) see  the command   >>  keytool -genkey -alias alias -keystore .keystore

can  i use any thing else apart from .keystore ??

say i want   abc.jks  ...is it ok ?   actually i dont like that extension .keystore  .....what restriction is there ?
what else i can use there ?



(b)
what pair they are talking about ?


(c) self-signed certificate means what ?

(d) this command created a key and a certificate both ? or just a key only ??  the word  pair used in the heading is bit confusing ....i want to be very clear about whats going on here .

thanks

cofactorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jamovilleCommented:
a. Call it what you want - it doesn't even have to have an extension.  I use .jks
b. Private and public key.  Your keystore contains a private and public key.  The two are used for secure communication when creating an https connection.  The private key is not shared with the other communicant but the public one is.
c. You are signing the cert yourself.  Rather than creating a real certificate that was signed by a trusted vendor such as verisign you are creating the cert.  Hence self signed.  A self signed cert will show with a warning in a browser because the signing authority ("you") are not trusted by the browser.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cofactorAuthor Commented:
you said ,

b. Private and public key.  Your keystore contains a private and public key.  The two are used for secure communication when creating an https connection.  The private key is not shared with the other communicant but the public one is.

>>> Your keystore contains a private and public key.

is it possible to see those keys ? i want to see private and public key both .....is it possible ?


If i understand you correctly then you are saying a keystore holds a public key , a private key and a self-signed certificate .......right ?

I can see the content of the certificate easily because if i run this command
http://www.exampledepot.com/egs/java.security.cert/ExportCert.html?l=rel

this shows me the content of a cert file in a text format as shown in the example.


Now,  i want to see the  public key ,  private key stored in  the keystore ......how can i see that ?
0
cofactorAuthor Commented:
no comment ?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

jamovilleCommented:
Take a look here for some examples of exporting and view the keys
http://stackoverflow.com/questions/150167/how-do-i-list-export-private-keys-from-a-keystore

You can't view the private key so that you don't accidently expose it to others.

If i understand you correctly then you are saying a keystore holds a public key , a private key and a self-signed certificate .......right ?
Correct kind of - the public and private key are part of the cert that is signed.
0
cofactorAuthor Commented:
you said

>>the public and private key are part of the cert that is signed

do you mean a cert file contains both private and public key ?

i see an cert file content exported here ...see this..

(http://www.exampledepot.com/egs/java.security.cert/ExportCert.html?l=rel)

it has the exported cert content text as

-----BEGIN CERTIFICATE-----
    MIIC6TCCAqcCBDxgu/IwCwYHKoZIzjgEAwUAMFoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTES
    MBAGA1UEBxMJUGFsbyBBbHRvMQowCAYDVQQKEwFJMQswCQYDVQQLEwJNZTERMA8GA1UEAxMIUGF0
    IENoYW4wHhcNMDIwMjA2MDUxNTMwWhcNMDIwNTA3MDUxNTMwWjBaMQswCQYDVQQGEwJVUzELMAkG
    A1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEKMAgGA1UEChMBSTELMAkGA1UECxMCTWUxETAP
    BgNVBAMTCFBhdCBDaGFuMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2
    EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7
    ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUA
    l2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdR
    WVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx
    +2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAPyx9uQ1PKBYO/2G
    RPzbW4y6pphNRmObJQWbjY/ERuCQwLRrpREh9sgMnptZjRzLVpWdzxNa9bFMFXAYMgoTUIgAZ9yN
    WPjp/JiFfzdIq3CY0CEey42M3mbD3pWsF9x4SSsJTpDobX/pm5XgtkhZXBZYtBk813Xv2LxyZ3OI
    W1JnMAsGByqGSM44BAMFAAMvADAsAhQ5wayd5cpEo/vHmF7G5gVQ9cMKKAIUMfk2ZYxNdhe6oNmH
    nR0AhnEHILE=
    -----END CERTIFICATE-----


do you mean content inside   -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----  is a public key ?

do you mean content inside   -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----  is a private key ?

do you mean content inside   -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----  is a private and public key mixed ?


please clarify .

thanks
0
jamovilleCommented:
This is a little deeper than I may be able to answer.  My understanding is that there is no way to view the private key so    -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----  is a public key in the cert. It is a text view of the certificate which contains the public key.  The non text view which is the cert in the keystore contains the private key.  This is only available when encrypting.  There is no way to visibly see it as this could cause a security issue.
0
mbodewesCommented:
I'll have to step in here...

The keystore can hold certificates and private keys. The certificates contain the public key of the public key / private key pair. Normally certificates are signed by private keys belonging to other certificates to form a certificate chain. With self signed certificates the private key belonging to the same certificate is however used to sign the certificate, so you basically have a chain of only one certificate long. This chain and private key can be used by Java applications using the alias specified for the key store.

It seems that keytool does not have a method to export the private key after it has been created, but (if you have the password) it is certainly possible to do this by software.

The name of the store does not matter, unless you need to use the keystore with an application or e.g. the SSL implementation within the JRE itself. In that case you must either use the default keystore or point the application or the JRE to the correct key store to use, normally by setting a system property (this is more or less obvious I guess).

The command you issued also creates the certificate. The certificate contains names etc., a key does not have any user information etc.

The certificate can be viewed by using openssl or, on Windows, simply copying it to a file, name it mycert.crt, and double clicking it. So I now know your real name I guess :). The certificate is PEM encoded (basically just base 64 encoding). The binary encoding is DER, which is kind of a binary XML mainly used for communications and cryptography.
0
cofactorAuthor Commented:
thanks for the info @jamoville , @mbodewes  .....please see the summary below ......i am writing in my own words .....please validate whether i have absorbed the whole things correctly .

 

so, i conclude this way...

when i create the keystore by using keytool command , a certificate , a public key , a private key is generated.

example:
keytool -genkey -alias alias -keystore .keystore


Now, the content of the certificate is the public key ....this key is encrypted .

you'll  not find the private key in the certificate file .....but surely , its somewhere hidden inside the keystore.

keytool command cant export private key out of keystore ....But  there are external programs/software to export the private key out of the keystore.



@mbodewes,

you said ,

>>The keystore can hold certificates and private keys

suppose, i have  a keystore   abc.jks .  can i  import  external certificates , external private keys into my abc.jks apart from my own self signed certificate.....is that correct ?


thanks
0
mbodewesCommented:
I'll just answer the wrong assumptions:

"Now, the content of the certificate is the public key ....this key is encrypted ."

The whole keystore is encrypted using the password of the keystore. The public key is not encrypted within the certificate, because the public key may be known to anybody without sacrificing security. Hence the name. Certificates are used to verify data including other certificates using the public key stored within the certificates.

This is basic PKI, try and read up on it. I'm sure there is more info on Wikipedia and numerous other sources.

"suppose, i have  a keystore   abc.jks .  can i  import  external certificates , external private keys into my abc.jks apart from my own self signed certificate.....is that correct ?"

It seems you cannot import private keys. You normally create a *certificate request* if you need a certificate from one of the trusted third parties like verisign (e.g. when you want your server to work with any browser). This certificate can then be imported using the import statement. Your private key is generated and stored within the keystore. It should never leave this keystore, since it has to stay secret. It is only used to sign things, such as certificate requests and other certificates.

You can also import certificates from other sources to validate internet servers. Basically you use these certificates to validate that the other computer has a valid certificate chain (starting at one of the stored certificates) and the accompanying private key. The stored certificates must be marked "trusted" to be able to do this.

All this is basic PKI (public key infrastructure), it is rather important to read up to it, otherwise using the tools is very complicated and error prone.
0
cofactorAuthor Commented:
the entire process looks bit complicated .
i have seen the docs, wiki but  found so many jargon and the entire things comes into a loop.

let me try to understand your comments line by line

>>>Certificates are used to verify data including other certificates using the public key stored within the certificates.

confused here.

verify what data ? what other certificates you are talking about ? suppose , I have only 1 certificate in abc.jks which i created using keytool command and this has been placed in my server.


>>>It seems you cannot import private keys. You normally create a *certificate request* if you need a certificate from one of the trusted third parties like verisign.

verisign provides what ?  the entire keystore file ?  or a just a certificate only ?  i guess , one can purchase a  sample_verisign_cert_file.cert   from them by paying charges .we already have seen a certificate which we created  using the keytool command ....we also have seen the public key in it .

How is the verisign certificate different from ours ? what magic things are there in the verisign certificate ?  do they provide a more lengthier public key in their certificate  or whats the matter here ?

some people says , if your certificate is not signed by a browser recognized vendor like verisign then you will get a warning message in the browser when you try to access the secured site......so what ?
we can have our own generated cert ? is that bad ?


>>>This certificate can then be imported using the import statement
I believe , you mean we can import this certificate in the browser ..right ? i know IE has an import certificate button when you get an alert for accepting certificate.....is that you meant ?

>>>Your private key is generated and stored within the keystore.

who is generating the private key now ?I am just using the browser to access a secured site >
do you mean , browser is generating the private key ?  did you mean a private key and a keystore will be generated in my machine ..i.e in a client machine ?

>>It should never leave this keystore, since it has to stay secret. It is only used to sign things, such as certificate requests and other certificates.

what do you mean by sign things  here ?


let me understand these now ..

thanks









0
mbodewesCommented:
If you just have a single certificate, then the public key within that certificate can be used to verify a signed challenge within the SSL handshake. So your server would send over the certificate during the handshake and the client can then verify a signed challenge generated later on using the public key.

Of course, the problem with that scheme is that the client needs to trust the certificate. If you use a self signed certificate, you get a secure connection, but the client cannot verify which server it connects to.

This is why there are TTP's (trusted third parties) that will generate certificates for you. Those certificates will be signed by a very private key at their organization. The reason that clients (e.g. browsers) can trust those certificates is that the contain a trusted key store with the certificates of e.g. Verisign (in IE, check out the [certificates...] button under options).


With the import I mean the import of the certificate tool command. You can directly generate a key pair and a self signed certificate, or you can generate a key pair and a certificate request, which you can then send to the TTP to get a certificate from them. You can import that certificate using the import argument of the keytool command.

The key pairs will always be generated at the server, where they are used. Normally, clients do not generate key pairs (unless client authentication is used, but this is rather uncommon).

I've included a link (by coincidence to a verisign server, no, I do not own stock) that explains certificates a bit more. Please try to read it. As said, without understanding of PKI and certificates, using the keytool is not going to be easy...

http://www.verisign.com.sg/repository/tutorial/cryptography/intro1.shtml


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.