6. Java keytool
Keytool is the key (key) and certificates (certificates) in the presence of a file called
keystore
keystore
Key entity
Trusted certificate entries
7. Java keytool
Keytool Command
-keystore The file named .keystore in the user's home directory
-alias Create alias. Defalut : "mykey"
-genkey Creating or Adding Data to the Keystore
-keyalg key algorithm name. Defalut : "DSA"
-keysize key bit size. Defalut : 1024
-certreq Generate the Certificate Signing Request (CSR)
-import Imports a certificate or a certificate chain
-list Lists entries in a keystore
-v verbose output
8. Jar signing - Step1
Creating a Sample CA Certificate
openssl req -config c:opensslbinopenssl.cnf -new -x509
-keyout ca-key.pem -out ca-certificate.pem -days 365
Using properties from c:opensslbinopenssl.cnf
Loading ’screen’ into random state: done
Generating a 1024 bit RSA private key
.................++++++
.....................++++++
writing new private key to ’ca-key.pem.txt’
Enter PEM pass phrase:
Verifying password: Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.’, the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Monrovia
Organization Name (eg, company) []:Sun
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your websites domain name) []
:development.sun.com
Email Address []:development@sun.com
9. Jar signing - Step2
Create java keystore
keytool –keystore clientkeystore –genkey –alias client
Enter keystore password:
What is your first and last name?
[Unknown]: Jason
What is the name of your organizational unit?
[Unknown]: Jason
What is the name of your organization?
[Unknown]: Jason
What is the name of your City or Locality?
[Unknown]: Jason
What is the name of your State or Province?
[Unknown]: Jason
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct?
[no]: yes
Enter key password for <client>
(RETURN if same as keystore password):
10. Jar signing
Keystore verbose output
keytool -list -v -keystore clientkeystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: client
Creation date: 2014/3/7
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US
Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US
Serial number: 3277605
Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
12. Jar signing - Step4
Generate a signed certificate for the associated Certificate Signing Request.
openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out
client.cer -days 365 -CAcreateserial
13. Jar signing - Step5
Use the keytool to import the CA certificate into the client keystore
keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
14. Jar signing
Keystore verbose output
Alias name: thecaroot
Creation date: 2014/3/7
Entry type: trustedCertEntry
Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California,
C=US
Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California,
C=US
Serial number: cd1836b5bb6f8295
Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
15. Jar signing - Step6
Use the keytool to import the signed certificate for the associated client alias in the
keystore.
keytool –import –keystore clientkeystore –file client.cer –alias client
16. Jar signing
Keystore verbose output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: client
Creation date: 2014/3/7
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US
Issuer:
EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US
Serial number: 86848dcdcc6a2971
Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015
Certificate[2]:
Owner:
EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US
Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development
, O=Sun, L=Monrovia, ST=California, C=US
Serial number: cd1836b5bb6f8295
17. Jar signing - Step7
Generates signatures for Java ARchive (JAR) files
jarsigner -keystore clientkeystore SignedApplet.jar client
18. Jar signing
Verifying a Signed JAR File
jarsigner -verify -verbose SignedApplet.jar
s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF
320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF
1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA
0 Mon Feb 21 19:29:40 CST 2011 META-INF/
sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
19. Jar signing - Step8
Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」
Import ca-certificate.pem file