Monday, September 1, 2014

Generating Private and Public Key using keytool in Java

In this post. let's see how we can generate private and public key using keytool command line interface which comes bundled with Java. The various options of keytool can be seen with following command

keytool -help

If the command does not works, make sure you have Java Installed and the bin directory is in the path.

First let's generate the private key. The key is kept in a keystore. The yellow highlighted text should be replaced with your information.. Also I am using RSA as the key algorithm and the keys size as 1024. You can change them as well.

keytool -genkey -alias lalit_private -keyalg RSA -keysize 1024  -keystore lalit_private_keystore

Enter keystore password: Enter a password and remember it
Re-enter new password: Repeat the password
What is your first and last name?
  [Unknown]:  Lalit Bhatt
What is the name of your organizational unit?
  [Unknown]:  lalitbhatt
What is the name of your organization?
  [Unknown]:  lalitbhatt
What is the name of your City or Locality?
  [Unknown]:  Pune
What is the name of your State or Province?
  [Unknown]:  MH
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Lalit Bhatt, OU=lalitbhatt, O=lalitbhatt, L=Pune, ST=MH, C=IN correct?
  [no]:  yes

Enter key password for <lalit_private>
        (RETURN if same as keystore password):

The keys can be listed with the list command

keytool -list -keystore lalit_private_keystore
Enter keystore password: Enter keystore password

It will show the following information

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

lalit_private, Sep 1, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:C7:81:8E:D7:9F:52:6E:2C:2F:83:2C:79:49:4E:1E:
7E:FA:B3:86

Now generate the temporary certificate file which we will use to generate the public key store

keytool -export -alias lalit_private -file private.cer -keystore lalit_private_keystore

Enter keystore password: Enter keystore password
Certificate stored in file <private.cer>

Now import the certificate file in a different keystore which will act as a public key store

keytool -import -alias lalit_public -file private.cer -keystore lalit_public_keystore

Enter keystore password: Enter a different password. This will be public keystore password
Re-enter new password: Repeat the password
Owner: CN=Lalit Bhatt, OU=lalitbhatt, O=lalitbhatt, L=Pune, ST=MH, C=IN
Issuer: CN=Lalit Bhatt, OU=lalitbhatt, O=lalitbhatt, L=Pune, ST=MH, C=IN
Serial number: 78cb3fd5
Valid from: Mon Sep 01 19:00:53 IST 2014 until: Sun Nov 30 19:00:53 IST 2014
Certificate fingerprints:
         MD5:  05:50:38:68:3E:AD:A7:A9:9D:F0:9E:69:B5:67:93:A0
         SHA1: 3C:C7:81:8E:D7:9F:52:6E:2C:2F:83:2C:79:49:4E:1E:7E:FA:B3:86
         SHA256: DD:D4:1C:BB:4B:18:FD:4C:D3:57:CB:E4:51:56:54:4F:F7:AC:3B:80:9C:
56:F5:9F:21:8C:E9:18:7C:39:CB:E7
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6D D7 F5 E2 F4 3D D8 82   19 3C 0A 8C 47 78 EF 9C  m....=...<..Gx..
0010: 4C E9 2A B0                                        L.*.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

If all the steps happen without any error, you should see three files in your working directory. One will be private key store and another one will be public keystore. The third file is the private.cer which is an intermediate file and can be deleted.

For encrypting and decrypting data using Java API follow this.
Signing your Certificate with a Certificate Authority
More on Java

2 comments:

  1. Thanks for the post. I have a question: you export the private key and import it in a public keystore. You end up having private and public keystore with the same key in it, isn't it? keytool shows the same fingerprint, and I expected no less.

    ReplyDelete