Java Keytool Tutorial: Part 2 - What is a KeyStore?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys in the part 1 video of key tools series we talked about key tool what it does we talked about different key stores and the way they work in this video you will see how key stores are created and how we can generate keys and store them in key store here i am logged in to my linux virtual machine which i used in the previous video and now i'm going to execute a simple key tool command which is key tool dash gen key what this command does is it will generate a key pair along with a self-signed certificate so it's asking for a password confirm it um i'm just going to leave it as testing leave everything else blank yes and enter all right so this is a the command that i executed when you're not mentioning the key store name uh it will by default create a key store in your home directory so this is my home directory and there's a file called dot key store let me do a long listing [Music] so here we are this is the keystroke file that got generated automatically in the event when you are not mentioning the keystore name same thing happens if you if i do ke2 list if i don't mention the keystore name it will automatically once again yeah it will automatically read the keystore file from the home directory also because i didn't mention the store type uh the key store type is jks and this is the private key entry if i do dash v i should see a verbals output verbose output adds some extra details so when i do dash v it shows the private key entry and the thumb print and some other information about the certificate that i generated there's also something called dash rfc this command will print the actual certificate in its them format it's the same for windows as well so if i uh open a command prompt key to gen key and testing leave everything else blank yes enter so i have a key store in the home directory so if i do dir here's the key store file all right let's go back i'm going to execute ke2 list command one more time okay if you see here the alias of this private key is my key now in the previous command uh we executed key tool dash gen key we did not pass the key store name as well as the alias now when you don't supply the alias key tool will automatically set the alias as my key let's try to run that key tool gen command one more time let's see what happens it clearly gives an error that says key pair not generated alias my key already exists we can simply pass the alias so i'm i'll just name it as testing key okay testing yes all right let's do ke2 list and now i have testing key over here and my key which was named by ketool command by default let's uh let's execute another key tool command and this time i'm going to pass some more information so genki dash alias i want this uh key name to be um i don't know apple key elgg i want to generate an rsa keypair key size of 2048 um validity 365 days sign algorithm sha 256 with rsa and let's do dname as well so if you remember when i'm generating a key it will always ask for this first name last name things like that i can simply pass that information in the command line so common name i'll call it apple location i don't know us i guess i'll just leave it okay enter one two three yeah that's my password apple one two three okay key tool dash list and now we see another private key entry and let's do a verbose output okay so in this output you could clearly see that uh this is the date when the certificate was uh created it's a private key entry there's only one certificate and this is that certificate this certificate is valid for one year if you remember i passed validity as 365. so this certificate is valid for one year and i also passed the signing algorithm as sha256 with rsa so that's what we see here and the key size was 2048 that's what we see here we didn't pass any extension so it's all blank and yeah the next few key tool commands that i will be executing are really long i thought typing each of those commands would make this video quite lengthy so i have already typed those commands in a notepad i'll just copy paste those commands into this terminal for you to see so here's the first command copy this and paste it here key tool that's dash alias my sign in key dash key alk rsa key size 2048 dash signing algorithm will be sha 256 with rsa keystore mystore.ks and this is going to be the distinguished name i'm going to hit enter enter the password repeat that same password and hit enter again okay i'm getting a warning over here and it clearly states that i'm using a jks key store however regardless of this warning i was still able to generate this key pair and the certificate of type rsa let's see what happens if i try to add a secret key in this key store so i'll clear this screen first and this is the command this command is a little bit different so key tool dash gen sec key or generate secret key the alias is my a is key key alg is a is key size is 256 and the key store is my store dot ks hit enter and the password all right so i'm getting a warning over here that says key tool error java.security.keystore exception cannot store non-private keys if you remember in my previous video i mentioned that jks keystore are only allowed to store private keys and certificates you're not allowed to store secret keys in it if you want to store secret keys you should be using jceks so i'm going to repeat the same command using jceks keystore so i'll clear the screen i'm going to copy the next command here's a command so it's the same command except i'm changing the file extension from jks to jce and the store type is going to be jceks hit enter retype the password enter all right we are getting a warning it says that it's a jc ks key store however i was able to generate the aes key similarly let me clear the screen i can generate a desk 3 key as well so copy this paste so key tool dash genseki dash alias my test key key elk d s ede this is for test three key store my store dot jce store type jceks i'm going to hit enter here's the password enter and the key is generated let's try to list this key store so key tool dash list dash key store my store dot j c e and the store type is going to be jceks and there you have it we have my desk key which is a secret key entry i also have an as key which is also a secret key entry let's see if i'm allowed to store an asymmetric key such as let's try to generate a ecdsa key so i already have a command copy let me clear the screen and paste now uh key tool dash 10 key dash alias my ec key key alg ec group name now for ecliptive curve we have to mention the curve name of the key that we are going to use so this is the curve that i will be using signing algorithm is sha 256 with ecdsa validity or 730 keystore is going to be my store.jce store type jc ks and this is the distinguished name i'm going to hit enter and i am able to generate an asymmetric key let's try to list it and here is the list of keys that we have two secret keys and a private key along with a certificate let's try to generate some keys using p12 keys by the way i forgot to mention so in this command i had to mention the curve id for the group name if you don't know where to find this curve id there's a very easy way if you're on linux every linux distribution have open ssl pre-installed in it it's actually part of linux distribution so there's a command called openssl ec param dash list curve curves if i hit enter i should be able to get the list of all supported curves at the moment i'm getting only four four curves and i believe the reason is the version of openssl it's very old yeah it is old uh i'm sure this version is not supported by openssl anymore the latest version openssl 1.1 1.1.1 i don't know oh or something i i'm sure that has a lot many curves than this actually i think i do have the latest version of openss i'll open ssl 3 on my windows let me bring this command over here command prompt so open ssl ec pattern dash list curves and as you can see over here i'm getting a very long list of supported curves i can choose any one of them and use it with my key tool command all right i'm going to clear the screen let's try some pkcs 12 key store so i'm going to copy this command it's very simple so basically it's just the same command except i'm just changing changing the name of the file and the store type so here the file name is mystore.p12 store type is pkcs12 everything else is the same i'm going to enter the password retype the password and my key is generated and i'm also not getting any warning there's no warning whatsoever let's try to generate a secret key insta inside this uh key store so clear the screen again paste key tool dash gensec key alias my a is key it's the same command except i'm using uh p12 key store my store.p12 and store type is pkcs12 hit enter and the key is generated let's try to generate an ecdsa key clear the screen paste the command so same command as before i'm just changing the store type and the key store file i'm going to hit enter and the key is generated let's try to list it dash key tool dash list dash key store my store dot p12 and the store type is pkcs12 and these are the keys i have my signing key which is an rsa key i believe and i have an as key and an ecdsa key that's all i have for you on key tool in today's video the next video is going to be about migrating keys i hope you found this video to be helpful please use the comment section if you have a question subscribe to my channel if you are not already subscribed and hopefully i will see you in the next video
Info
Channel: Cyber Hashira
Views: 5,968
Rating: undefined out of 5
Keywords: Keytool, KeyStore, Cyber Hashira, Java Cryptography, JCEKS, JKS, SunPKCS11, PKCS12
Id: UNZzilk8bo8
Channel Id: undefined
Length: 16min 34sec (994 seconds)
Published: Sat Jun 18 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.