Re: JDK 1.2EA1 and Keytool

Jan Luehe (Jan.Luehe@Eng)
Mon, 29 Sep 1997 09:58:44 -0700 (PDT)

Date: Mon, 29 Sep 1997 09:58:44 -0700 (PDT)
From: Jan Luehe <Jan.Luehe@Eng>
Subject: Re: JDK 1.2EA1 and Keytool
To: paul.andrighetti@Central, Roland.Schemers@Eng

--Band_of_Gorillas_424_000
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: dPyyl+q0m5hlNwdTst+3PQ==

Paul:

Here's a list of supported options. Note that "validity"
has been added for JDK1.2beta1.

Thanks,

Jan

----------------------------------------------------------

laguna{luehe}224: keytool -help
KeyTool usage:

-csr [-v] [-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]

-delete [-v] -alias <alias>
[-keystore <keystore>] [-storepass <storepass>]

-export [-v] [-alias <alias>] [-file <cert_file>]
[-keystore <keystore>] [-storepass <storepass>]

-genkey [-v] [-alias <alias>] [-keyalg <keyalg>]
[-keysize <keysize>] [-sigalg <sigalg>]
[-dname <distinguished_name>] [-validity <valDays>]
[-keypass <keypass>] [-keystore <keystore>]
[-storepass <storepass>]

-help

-import [-v] [-alias <alias>] [-file <cert_file>]
[-keypass <keypass>] [-keystore <keystore>]
[-storepass <storepass>]

-keyclone [-v] [-alias <alias>] -dest <dest_alias>
[-keypass <keypass>] [-new <new_keypass>]
[-keystore <keystore>] [-storepass <storepass>]

-keypasswd [-v] [-alias <alias>]
[-keypass <old_keypass>] [-new <new_keypass>]
[-keystore <keystore>] [-storepass <storepass>]

[-list] [-v | -rfc] [-alias <alias>]
[-keystore <keystore>] [-storepass <storepass>]

-printcert [-v] [-file <cert_file>]

-selfcert [-v] [-alias <alias>] [-sigalg <sigalg>]
[-dname <distinguished_name>] [-validity <valDays>]
[-keypass <keypass>] [-keystore <keystore>]
[-storepass <storepass>]

-storepasswd [-v] [-new <new_storepass>]
[-keystore <keystore>] [-storepass <storepass>]



--Band_of_Gorillas_424_000
Content-Type: TEXT/plain; name=doc; charset=us-ascii; x-unix-mode=0644
Content-Description: doc
Content-MD5: pj/q1TmZpysiuvKezhsJ1w==

/**
* This utility administers databases of information used to authenticate
* with JavaSoft's JarTool implementation. The authentication information
* includes both a sequence (chain) of X.509 certificates, and an associated
* private key, which can be referenced by a so-called "alias". This tool also
* manages trusted certificates, which are stored in the same database as the
* authentication information, and can be referenced by an "alias".
*
* <P>The chains of X.509 certificates are provided by organizations called
* <em>certificate authorities</em>, or <em>CA</em>s. Identities (including
* CAs) use their private keys to authenticate their association with objects,
* such as with channels which are secured using SSL, with archives of code
* they signed, or (for CAs) with X.509 certificates they have issued. As
* a bootstrapping tool, <em>genkey</em> certificates may be used until
* a certificate authority returns a certificate chain.
*
* <P>The private keys in this database are always stored in encrypted
* form, to make it difficult to disclose these private keys inappropriately.
* A passphrase is required to access or modify the database.
*
* <P><em>These private keys are encrypted using a "passphrase", which
* should be several words long. You should guard the passphrase extremely
* carefully! If you lose that passphrase, you will not be able to recover
* those authentication keys. However, if you let someone else know it,
* they will either be able to tell you when you forget, or they will be
* able to masquerade as you without your consent. So you should not tell
* it to anyone you don't trust to act on your behalf. Misuse of your keys
* could incur substantial liability for you.</em>
*
* <P><hr>This class is intended to be used from the command line.
* Algorithm names must be provided using their standard name.
* See Appendix A in the CryptoSpec.html file in the "docs/guide/security"
* directory of your JDK installation directory for information about standard
* algorithm names. Algorithm names are case sensitive.
* At this time, only the DSS/DSA signature algorithm is supported.
*
* <P>The command line options for each command may be provided in any order.
*
* <TABLE BORDER>
* <CAPTION><b><FONT SIZE=+2>
* Commands
* </b></FONT></CAPTION>
*
* <TR><TH>Command</TH><TH>Description</TH></TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-csr [-alias &lt;alias&gt;] [-sigalg &lt;sigalg&gt;]
* [-file &lt;csr_file&gt;]
* [-keypass &lt;keypass&gt;]</CODE></TD>
* <TD>Generates a Certificate Signing Request (CSR), using the PKCS#10
* format. A CSR is intended to be sent to a certificate authority (CA).
* The CA will authenticate the certificate requestor (usually off-line)
* and will return a certificate or certificate chain, used to replace the
* existing certificate chain (which initially consists of a self-signed
* certificate) in the user's keystore.
* The private key and X.500 Distinguished Name associated with
* <em>alias</em> are used to create the PKCS#10 certificate request.
* <em>alias</em> defaults to the string <em>mykey</em>.
* <em>sigalg</em> specifies the algorithm that should be used to
* sign the CSR. The specified algorithm must be compatible with the
* selected private key. The default signature algorithm is DSA With SHA1.
* The CSR is stored in the file <em>csr_file</em>. If no file is given,
* the CSR is output to stdout.
* In order to access the private key, the user must provide a passphrase,
* <em>keypass</em>, which is used to recover the private key (private keys
* are stored in encrypted format in the keystore). If <em>keypass</em> is not
* provided at the command line, and is different from the passphrase used to
* protect the integrity of the keystore, the user will be prompted for it.
* Use the <em>import</em> command to import the response from the
* CA.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-delete -alias &lt;alias&gt;</CODE></TD>
* <TD>Deletes the entry identified by <em>alias</em> from
* the keystore.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-export [-alias &lt;alias&gt;] [-file &lt;cert_file&gt;]
* </CODE></TD>
* <TD>Reads the certificate associated with
* <em>alias</em>, and stores it in the file <em>cert_file</em>.
* <em>alias</em> defaults to the string <em>mykey</em>.
* If no file is given, the certificate is output to stdout.
* The certificate is output in printable encoding format, as defined by
* the Internet RFC 1421 standard, and is bounded at the beginning by
* -----BEGIN CERTIFICATE-----, and bounded at the end by
* -----END CERTIFICATE-----.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-genkey [-alias &lt;alias&gt;] [-keyalg &lt;keyalg&gt;]
* [-keysize &lt;keysize&gt;] [-sigalg &lt;sigalg&gt;]
* [-dname &lt;dname&gt;] [-validity &lt;valDays&gt;]
* [-keypass &lt;keypass&gt;]
* </CODE></TD>
* <TD>Generates a new public/private key pair, and wraps the public key
* into a self-signed certificate, which is stored as a single-element
* certificate chain along with the private key in the keystore entry
* identified by <em>alias</em>.
* <em>alias</em> defaults to the string <em>mykey</em>.
* <em>keysize</em> specifies the size of the key pair to be generated.
* The default key size is 768 bits.
* <em>keyalg</em> specifies the algorithm of the key pair to be
* generated. The default key algorithm is DSA.
* <em>siglag</em> specifies the algorithm that should be used to sign the
* self-signed certificate; this algorithm must be compatible with
* <em>keyalg</em>.
* <em>dname</em> specifies the X.500 Distinguished Name
* to be associated with <em>alias</em>, and is used as the issuer and
* owner fields in the self-signed certificate. If no distinguished
* name is provided at the command line, the user will be prompted for
* one.
* <em>valDays</em> tells the number of days for which the (self-signed)
* certificate should be considered valid (default: 90 days).
* <em>keypass</em> is a user-chosen passphrase which is used to protect the
* private key of the generated key pair. If no passphrase is provided at the
* command line, the user will be prompted for it. <em>keypass</em> must be
* at least 6 characters.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-help</CODE></TD>
* <TD>Lists all commands and their options.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-import [-alias &lt;alias&gt;] [-file &lt;cert_file&gt;]
* [-keypass &lt;keypass&gt;]</CODE></TD>
* <TD>Reads the certificate from the file <em>cert_file</em>, and stores
* it in the keystore entry identified by <em>alias</em>.
* <em>alias</em> defaults to the string <em>mykey</em>.
* If no file is given, the certificate is read from stdin.
* The certificate must be provided in printable encoding format,
* as defined by the Internet RFC 1421 standard, and must be bounded at
* the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
* the end by -----END CERTIFICATE-----.
* This command is used to add a certificate to the list of
* trusted certificates in the keystore, or import a certificate reply
* that was received from a CA as the result of submitting a CSR to
* that CA (see the <em>csr</em> command). In the latter case, the
* passphrase under which the corresponding private key is protected must be
* provided in <em>keypass</em>; if <em>keypass</em> is not given, the user
* will be prompted for it.
* When importing a certificate reply, the keystore entry identified by
* <em>alias</em> must have a private key. The certificate reply is
* validated using trusted certificates from the keystore, until a
* self-signed certificate (belonging to a root CA) is reached. The
* certificate reply and the hierarchy of certificates used to
* authenticate the certificate reply form the new certificate chain of
* <em>alias</em>, and replace the old certificate chain associated with
* this entry.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD NOWRAP><CODE>-keyclone [-alias &lt;alias&gt;] -dest &lt;dest_alias&gt;
* [-keypass &lt;keypass&gt;] [-new &lt;new_keypass&gt;]</CODE></TD>
* <TD>Creates a new keystore entry, which has the same private key and
* certificate chain as the original entry.
* The original entry is identified by <em>alias</em>. <em>alias</em>
* defaults to the string <em>mykey</em>.
* The new (destination) entry is identified by <em>dest_alias</em>.
* <em>keypass</em> is the passphrase under which the private key in the
* original entry is protected.
* <em>new_keypass</em> is the passphrase under which the private key in the
* new entry will be protected.
* If <em>keypass</em> or <em>new_keypass</em> are not provided at the
* command line, the user will be prompted for them.</TD>
* This command can be used to establish multiple certificate
* chains corresponding to a given key pair, or for backup purposes.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD NOWRAP><CODE>-keypasswd [-alias &lt;alias&gt;]
* [-keypass &lt;old_keypass&gt;]
* [-new &lt;new_keypass&gt;]</CODE></TD>
* <TD>Changes the passphrase under which the private key identified by
* <em>alias</em> is protected from <em>old_keypass</em> to
* <em>new_keypass</em>.
* <em>alias</em> defaults to the string <em>mykey</em>.
* If <em>old_keypass</em> or <em>new_keypass</em> are not provided at the
* command line, the user will be prompted for them.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-list [-alias &lt;alias&gt;]</CODE></TD>
* <TD>Prints the contents of the keystore entry identified by <em>alias</em>.
* If no alias is given, the contents of the entire keystore are printed.
* This command is the default.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-printcert [-file &lt;cert_file&gt;]</CODE></TD>
* <TD>Reads the certificate from the file <em>cert_file</em>, and prints
* its contents in a human readable format.
* If no file is given, the certificate is read from stdin.
* The certificate must be provided in printable encoding format,
* as defined by the Internet RFC 1421 standard, and must be bounded at
* the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
* the end by -----END CERTIFICATE-----.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-selfcert [-alias &lt;alias&gt;] [-sigalg &lt;sigalg&gt;]
* [-dname &lt;dname&gt;] [-validity &lt;valDays&gt;]
* [-keypass &lt;keypass&gt;]</CODE></TD>
* <TD>Generates a self-signed certificate, using keystore information
* including the private key and public key associated with <em>alias</em>.
* <em>alias</em> defaults to the string <em>mykey</em>.
* <em>sigalg</em> specifies the algorithm that should be used to
* sign the certificate. The specified algorithm must be compatible with the
* selected private key. The default signature algorithm is DSA With SHA1.
* If <em>dname</em> is supplied at the command line, it is
* used as the X.500 Distinguished Name for both the issuer and subject of the
* certificate. Otherwise, the X.500 Distinguished Name associated with
* <em>alias</em> is used.
* <em>valDays</em> tells the number of days for which the certificate should
* be considered valid (default: 90 days).
* In order to access the private key, the user must provide a passphrase,
* <em>keypass</em>, which is used to recover the private key (private keys
* are stored in encrypted format in the keystore). If <em>keypass</em> is not
* provided at the command line, and is different from the passphrase used to
* protect the integrity of the keystore, the user will be prompted for
* it.
* The generated certificate is stored as a single-element certificate chain
* in the keystore entry identified by <em>alias</em>, where it replaces the
* existing certificate chain.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-storepasswd [-new &lt;new_storepass&gt;]</CODE></TD>
* <TD>Changes the passphrase used to protect the integrity of the
* user's keystore contents to <em>new_storepass</em>, which must be at least
* 6 characters.</TD>
* </TR>
*
* </TABLE>
*
* <TABLE BORDER>
* <CAPTION><b><FONT SIZE=+2>
* More Command Options
* </b></FONT></CAPTION>
*
* <TR><TH>Option</TH><TH>Description</TH></TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-v</CODE></TD>
* <TD>Run the command in verbose mode. Prints detailed certificate and
* private key information.
* This option is supported by all commands.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-rfc</CODE></TD>
* <TD>When printing certificates, use the printable encoding format
* as defined by the Internet RFC 1421 standard, instead of a human
* readable format.
* Also, bound the certificates at the beginning by
* -----BEGIN CERTIFICATE-----, and at the end by
* -----END CERTIFICATE-----.
* This certificate format facilitates exporting certificates to other
* applications.
* This option is only supported by the <em>list</em> command.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-keystore &lt;keystore&gt;</CODE></TD>
* <TD>The keystore (file) location. Defaults to the file
* <em>.keystore</em> in the user's HOME directory.</TD>
* </TR>
*
* <TR VALIGN=TOP>
* <TD><CODE>-storepass &lt;storepass&gt;</CODE></TD>
* <TD>The user passphrase which is used to protect the integrity of the
* user's keystore.
* <em>storepass</em> must be at least 6 characters.
* It must be provided to all commands that modify the keystore contents.
* When retrieving information from the keystore, the passphrase is
* optional: If no passphrase is given, the integrity of the retrieved
* information cannot be checked.
* If <em>storepass</em> is not provided at the command line, the user will be
* prompted for it.</TD>
* </TR>
*
* </TABLE>

--Band_of_Gorillas_424_000--