Self-Signing Certificates
Keys are unusable unless they are signed, but you can use the
keytool to self-sign them (for testing purposes only), as follows:
%JAVA_HOME%\bin\keytool -selfcert -alias privkey
-keystore privkeystore -keypass foobar -storepass foobar
Now, the certificate can be self-signed, as follows:
%JAVA_HOME%\bin\keytool -selfcert -alias pubcert
-keystore pubcertkeystore -keypass foobar
-storepass foobar
Exporting Certificates with the Keytool Utility
After generating and self-signing the keys/certificates and storing them in the keystores, import each public key into the other key's keystore. This requires two steps: exporting the public key to a certificate file and importing the certificate to the other keystore. To export the public key to a certificate file, use:
%JAVA_HOME%\bin\keytool -export -keystore pubcertkeystore
-alias pubcert -storepass foobar -file pubcert
You should see a response that says:
Certificate stored in file <pubcert>
You can also use the
keytool utility to display the contents of the certificate file using the
-printcert option, as follows:
%JAVA_HOME%\bin\keytool -printcert -file pubcert
The output will look like:
Owner: CN=pubcert
Issuer: CN=pubcert
Serial number: 42e5b3c4
Valid from: Mon Jul 25 21:53:40 MDT 2005 until:
Sun Oct 23 21:53:40 MDT 2005
Certificate fingerprints:
MD5:
99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77
The exported certificate contains the public key and distinguished name given to the certificate (in this case,
pubcert).
Importing Certificates into Keystores
To import a public certificate into the keystore of the private key, issue the command:
%JAVA_HOME%\bin\keytool -import -alias pubcert
-file pubcert -keystore privkeystore -storepass foobar
The output looks like:
Owner: CN=pubcert
Issuer: CN=pubcert
Serial number: 42e5b3c4
Valid from: Mon Jul 25 21:53:40 MDT 2005 until: Sun Oct 23 21:53:40 MDT 2005
Certificate fingerprints:
MD5:
99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77
Answer the following question:
Trust this certificate? [no]: yes
Certificate was added to keystore
Now that the certificate has been imported into the private key's keystore, you can reexamine the contents of the keystore using the
keytool utility with the
-list option, as follows:
%JAVA_HOME%\bin\keytool -list -keystore privkeystore
Enter keystore password: foobar
After entering your password you'll see the following output:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
privkey, Jul 25, 2005, keyEntry,
Certificate fingerprint (MD5):
E7:4A:D9:D7:67:A6:6D:E7:A5:C4:28:22:3D:C5:C4:30
pubcert, Jul 25, 2005, trustedCertEntry,
Certificate fingerprint (MD5):
99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
As the preceding examples illustrated, there are now two entries in the private-key's keystore. The first, with the alias
testkey, is identified as a key entry. The second entry is the certificate from the certificate file.
At this point you have performed sufficient key management tasks to use the private-key keystore to perform WS-Security tasks using the Apache Web Services Security for Java framework.
Digg
del.icio.us
Newvine
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google Bookmarks
Yahoo Favorites
Windows Live
Ask
Previous Page
