Introduction to keytool – Keytool简介

最后修改: 2020年 8月 27日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this short tutorial, we’re going to introduce the keytool command. We’ll learn how to use keytool to create a new certificate and check the information for that certificate.

在这个简短的教程中,我们将介绍keytool命令。我们将学习如何使用keytool来创建一个新的证书并检查该证书的信息。

2. What Is keytool?

2.什么是keytool?

Java includes the keytool utility in its releases. We use it to manage keys and certificates and store them in a keystore. The keytool command allows us to create self-signed certificates and show information about the keystore.

Java在其发布的版本中包括keytool工具。我们用它来管理钥匙和证书,并将它们存储在一个钥匙库中。keytool命令允许我们创建自签名证书,并显示有关钥匙库的信息。

In the following sections, we’re going to go through different functionalities of this utility.

在下面的章节中,我们将了解这个工具的不同功能。

3. Creating a Self-Signed Certificate

3.创建一个自签名的证书

First of all, let’s create a self-signed certificate that could be used to establish secure communication between projects in our development environment, for example.

首先,让我们创建一个自签名的证书,可以用来在我们的开发环境中建立项目之间的安全通信,例如。

In order to generate the certificate, we’re going to open a command-line prompt and use keytool command with the -genkeypair option:

为了生成证书,我们将打开一个命令行提示符,并使用keytool命令,其中有-genkeypair选项。

keytool -genkeypair -alias <alias> -keypass <keypass> -validity <validity> -storepass <storepass>

Let’s learn more about each of these parameters:

让我们进一步了解这些参数中的每一个。

  • alias – the name for our certificate
  • keypass – the password of the certificate. We’ll need this password to have access to the private key of our certificate
  • validity – the time (in days) of the validity of our certificate
  • storepass – the password for the keystore. This will be the password of the keystore if the store doesn’t exist

For example, let’s generate a certificate named “cert1” that has a private key of “pass123” and is valid for one year. We’ll also specify “stpass123” as the keystore password:

例如,让我们生成一个名为“cert1”的证书,其私钥为“pass123”,有效期为一年。我们还将指定“stpass123”作为钥匙库的密码。

keytool -genkeypair -alias cert1 -keypass pass123 -validity 365 -storepass stpass123

After executing the command, it’ll ask for some information that we’ll need to provide:

执行该命令后,它会要求我们提供一些信息。

What is your first and last name?
  [Unknown]:  Name
What is the name of your organizational unit?
  [Unknown]:  Unit
What is the name of your organization?
  [Unknown]:  Company
What is the name of your City or Locality?
  [Unknown]:  City
What is the name of your State or Province?
  [Unknown]:  State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Name, OU=Unit, O=Company, L=City, ST=State, C=US correct?
  [no]:  yes

As mentioned, if we haven’t created the keystore before, creating this certificate will create it automatically.

如前所述,如果我们之前没有创建钥匙库,创建这个证书将自动创建它。

We could also execute the -genkeypair option without parameters. If we don’t provide them in the command line and they’re mandatory, we’ll be prompted for them.

我们也可以不带参数地执行-genkeypair选项。如果我们没有在命令行中提供它们,而它们又是强制性的,我们就会被提示提供它们。

Note that it’s generally advised not to provide the passwords (-keypass or -storepass) on the command line in production environments.

注意,通常建议在生产环境中不要在命令行上提供密码(-keypass-storepass

4. Listing Certificates in the Keystore

4.在钥匙库中列出证书

Next, we’re going to learn how to view the certificates that are stored in our keystore. For this purpose, we’ll use the -list option:

接下来,我们要学习如何查看存储在钥匙库中的证书。为此目的,我们将使用-list选项。

keytool -list -storepass <storepass> 

The output for the executed command will show the certificate that we’ve created:

执行命令的输出将显示我们所创建的证书。

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cert1, 02-ago-2020, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 0B:3F:98:2E:A4:F7:33:6E:C4:2E:29:72:A7:17:E0:F5:22:45:08:2F

If we want to get the information for a concrete certificate, we just need to include the -alias option to our command. To get further information than provided by default, we’ll also add the -v (verbose) option:

如果我们想获得一个具体证书的信息,我们只需要在命令中加入 -alias选项。为了获得比默认情况下提供的更多信息,我们还将添加-v(verbose)选项。

keytool -list -v -alias <alias> -storepass <storepass> 

This will provide us all the information related to the requested certificate:

这将为我们提供与所请求的证书有关的所有信息。

Alias name: cert1
Creation date: 02-ago-2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Name, OU=Unit, O=Company, L=City, ST=State, C=US
Issuer: CN=Name, OU=Unit, O=Company, L=City, ST=State, C=US
Serial number: 11d34890
Valid from: Sun Aug 02 20:25:14 CEST 2020 until: Mon Aug 02 20:25:14 CEST 2021
Certificate fingerprints:
	 MD5:  16:F8:9B:DF:2C:2F:31:F0:85:9C:70:C3:56:66:59:46
	 SHA1: 0B:3F:98:2E:A4:F7:33:6E:C4:2E:29:72:A7:17:E0:F5:22:45:08:2F
	 SHA256: 8C:B0:39:9F:A4:43:E2:D1:57:4A:6A:97:E9:B1:51:38:82:0F:07:F6:9E:CE:A9:AB:2E:92:52:7A:7E:98:2D:CA
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A1 3E DD 9A FB C0 9F 5D   B5 BE 2E EC E2 87 CD 45  .>.....].......E
0010: FE 0B D7 55                                        ...U
]
]

5. Other Features

5.其他特点

Apart from the functionalities that we’ve already seen, there are many additional features available in this tool.

除了我们已经看到的功能外,这个工具中还有许多附加功能

For example, we can delete the certificate we created from the keystore:

例如,我们可以删除我们从钥匙库创建的证书

keytool -delete -alias <alias> -storepass <storepass>

Another example is that we will even be able to change the alias of a certificate:

另一个例子是,我们甚至将能够改变一个证书的别名

keytool -changealias -alias <alias> -destalias <new_alias> -keypass <keypass> -storepass <storepass>

Finally, to get more information about the tool, we can ask for help through the command line:

最后,为了获得更多关于该工具的信息,我们可以通过命令行请求帮助

keytool -help

6. Conclusion

6.结论

In this quick tutorial, we’ve learned a bit about the keytool utility. We’ve also learned to use some basic features included in this tool.

在这个快速教程中,我们已经了解了一些关于keytool工具的情况。我们还学会了使用这个工具中包含的一些基本功能。