甲骨文官方文档,keytool使用方法, 要学习的看这个很全很权威;主要命令实录;
2015-07-11 23:05
716 查看
地址:http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html
--------------------------------------------------------默认值---------------------------------------------------------------
Below are the defaults for various option values.
-storetype the value of the "keystore.type" property in the security properties file,
which is returned by the static
-file stdin if reading, stdout if writing
-protected false
[/code]
In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key:
If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA"
If the underlying private key is of type "RSA", the -sigalg option defaults to "SHA256withRSA".
If the underlying private key is of type "EC", the -sigalg option defaults to "SHA256withECDSA".
========================================================命令=======================================================================
-gencert {-rfc} {-infile infile}
{-outfile outfile} {-alias alias}
{-sigalg sigalg} {-dname dname}
{-startdate startdate {-ext ext}*
{-validity valDays} [-keypass keypass]
{-keystorekeystore} [-storepass storepass]
{-storetype storetype} {-providername provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
The
that contains three certificates in its certificate chain.
The following commands creates four key pairs named
and
The following two commands create a chain of signed certificates;
The following command creates the certificate
which is signed by
and
-genseckey {-alias alias}
{-keyalg keyalg} {-keysize keysize}
[-keypass keypass] {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-importcert {-alias alias}
{-file cert_file} [-keypass keypass]
{-noprompt} {-trustcacerts} {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
【重要】
If the alias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If
the alias does already exist, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate.
If the alias points to a key entry, then keytool assumes you are importing a certificate reply.
-importkeystore -srckeystore srckeystore -destkeystore destkeystore {-srcstoretype srcstoretype}
{-deststoretype deststoretype} [-srcstorepass srcstorepass]
[-deststorepass deststorepass] {-srcprotected}
{-destprotected} {-srcalias srcalias {-destalias destalias}
[-srckeypass srckeypass] [-destkeypass destkeypass]
} {-noprompt} {-srcProviderName src_provider_name}
{-destProviderName dest_provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-printcertreq[b] {-file file}
[/b]
-certreq {-alias alias}
{-dname dname} {-sigalg sigalg}
{-file certreq_file} [-keypass keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerNameprovider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-exportcert {-alias alias}
{-file cert_file} {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}}
{-rfc} {-v} {-protected} {-Jjavaoption}
-list {-alias alias}
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v | -rfc} {-protected} {-Jjavaoption}
-printcert {-file cert_file |
-sslserver host[:port]} {-jarfile JAR_file {-rfc}
{-v} {-Jjavaoption}
-storepasswd [-new new_storepass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArgprovider_arg}}
{-v} {-Jjavaoption}
-keypasswd {-alias alias}
[-keypass old_keypass] [-new new_keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClassprovider_class_name {-providerArg provider_arg}}
{-v} {-Jjavaoption}
-delete [-alias alias]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-changealias {-alias alias}
[-destalias destalias] [-keypass keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClassprovider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
The following are keytool commands to generate keypairs and certificates for three entities, namely, Root CA (root), Intermediate CA (ca), and SSL server (server). Ensure that you store all the certificates in the same keystore. In these examples, it is recommended
that you specify RSA as the key algorithm.
Public Keys
These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures.
Digitally Signed
If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entity's
private key.
Identity
A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an Email address to an X.509 Distinguished Name.
Signature
A signature is computed over some data using the private key of an entity (the signer, which in the case of a certificate is also known as the issuer).
Private Keys
These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Private and public keys exist in pairs in all public key
cryptography systems (also referred to as "public key crypto systems"). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures.
Entity
An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.
--------------------------------------------------------默认值---------------------------------------------------------------
Option Defaults
Below are the defaults for various option values.-alias "mykey" -keyalg "DSA" (when using -genkeypair) "DES" (when using -genseckey) -keysize 2048 (when using -genkeypair and -keyalg is "RSA") 1024 (when using -genkeypair and -keyalg is "DSA") 256 (when using -genkeypair and -keyalg is "EC") 56 (when using -genseckey and -keyalg is "DES") 168 (when using -genseckey and -keyalg is "DESede") -validity 90 -keystore the file named [code].keystorein the user's home directory
-storetype the value of the "keystore.type" property in the security properties file,
which is returned by the static
getDefaultTypemethod in
java.security.KeyStore
-file stdin if reading, stdout if writing
-protected false
[/code]
In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key:
If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA"
If the underlying private key is of type "RSA", the -sigalg option defaults to "SHA256withRSA".
If the underlying private key is of type "EC", the -sigalg option defaults to "SHA256withECDSA".
========================================================命令=======================================================================
-gencert {-rfc} {-infile infile}
{-outfile outfile} {-alias alias}
{-sigalg sigalg} {-dname dname}
{-startdate startdate {-ext ext}*
{-validity valDays} [-keypass keypass]
{-keystorekeystore} [-storepass storepass]
{-storetype storetype} {-providername provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
The
-gencertcommand enables you to create certificate chains. The following example creates a certificate,
e1,
that contains three certificates in its certificate chain.
The following commands creates four key pairs named
ca,
ca1,
ca2,
and
e1:
keytool -alias ca -dname CN=CA -genkeypair keytool -alias ca1 -dname CN=CA -genkeypair keytool -alias ca2 -dname CN=CA -genkeypair keytool -alias e1 -dname CN=E1 -genkeypair
The following two commands create a chain of signed certificates;
casigns ca1 and
ca1 signs ca2, all of which are self-issued:
keytool -alias ca1 -certreq | keytool -alias ca -gencert -ext san=dns:ca1 | keytool -alias ca1 -importcert keytool -alias ca2 -certreq | $KT -alias ca1 -gencert -ext san=dns:ca2 | $KT -alias ca2 -importcert
The following command creates the certificate
e1and stores it in the file
e1.cert,
which is signed by
ca2. As a result,
e1should contain
ca,
ca1,
and
ca2in its certificate chain:
keytool -alias e1 -certreq | keytool -alias ca2 -gencert > e1.cert
-genkeypair{-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-startdate value} {-ext ext}* {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}
-genseckey {-alias alias}
{-keyalg keyalg} {-keysize keysize}
[-keypass keypass] {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-importcert {-alias alias}
{-file cert_file} [-keypass keypass]
{-noprompt} {-trustcacerts} {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
【重要】
If the alias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If
the alias does already exist, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate.
If the alias points to a key entry, then keytool assumes you are importing a certificate reply.
-importkeystore -srckeystore srckeystore -destkeystore destkeystore {-srcstoretype srcstoretype}
{-deststoretype deststoretype} [-srcstorepass srcstorepass]
[-deststorepass deststorepass] {-srcprotected}
{-destprotected} {-srcalias srcalias {-destalias destalias}
[-srckeypass srckeypass] [-destkeypass destkeypass]
} {-noprompt} {-srcProviderName src_provider_name}
{-destProviderName dest_provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-printcertreq[b] {-file file}
[/b]
-certreq {-alias alias}
{-dname dname} {-sigalg sigalg}
{-file certreq_file} [-keypass keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerNameprovider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-exportcert {-alias alias}
{-file cert_file} {-storetype storetype}
{-keystore keystore} [-storepass storepass]
{-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}}
{-rfc} {-v} {-protected} {-Jjavaoption}
-list {-alias alias}
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v | -rfc} {-protected} {-Jjavaoption}
-printcert {-file cert_file |
-sslserver host[:port]} {-jarfile JAR_file {-rfc}
{-v} {-Jjavaoption}
-storepasswd [-new new_storepass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArgprovider_arg}}
{-v} {-Jjavaoption}
-keypasswd {-alias alias}
[-keypass old_keypass] [-new new_keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClassprovider_class_name {-providerArg provider_arg}}
{-v} {-Jjavaoption}
-delete [-alias alias]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
-changealias {-alias alias}
[-destalias destalias] [-keypass keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass] {-providerName provider_name}
{-providerClassprovider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
Generating Certificates for a Typical SSL Server
The following are keytool commands to generate keypairs and certificates for three entities, namely, Root CA (root), Intermediate CA (ca), and SSL server (server). Ensure that you store all the certificates in the same keystore. In these examples, it is recommendedthat you specify RSA as the key algorithm.
keytool -genkeypair -keystore root.jks -alias root -ext bc:c keytool -genkeypair -keystore ca.jks -alias ca -ext bc:c keytool -genkeypair -keystore server.jks -alias server keytool -keystore root.jks -alias root -exportcert -rfc > root.pem keytool -storepass <storepass> -keystore ca.jks -certreq -alias ca | keytool -storepass <storepass> -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem keytool -keystore ca.jks -importcert -alias ca -file ca.pem keytool -storepass <storepass> -keystore server.jks -certreq -alias server | keytool -storepass <storepass> -keystore ca.jks -gencert -alias ca -ext ku:c=dig,kE -rfc > server.pem cat root.pem ca.pem server.pem | keytool -keystore server.jks -importcert -alias server
keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass
Public Keys
These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures.
Digitally Signed
If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entity's
private key.
Identity
A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an Email address to an X.509 Distinguished Name.
Signature
A signature is computed over some data using the private key of an entity (the signer, which in the case of a certificate is also known as the issuer).
Private Keys
These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Private and public keys exist in pairs in all public key
cryptography systems (also referred to as "public key crypto systems"). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures.
Entity
An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.
keytool -genkeypair -dname "CN=Mark Smith, OU=Java, O=Oracle, L=Cupertino, S=California, C=US" -alias mark
相关文章推荐
- Oracle未选定行的问题
- Oracle 高级查询
- Oracle学习个人笔记
- oracle中表被锁了怎么办
- oracle 11g ORA-12514: TNS: 监听程序当前无法识别连接描述符中请求的服务解决方法
- oracle数据库的导入dmp文件和导出dmp文件
- oracle常用到的一些应用(创建用户,用户授权)
- Oracle外键级联删除和级联更新
- Oracle-BPM(九)
- Oracle操作ORA-02289: 序列不存在 解决方案
- Oracle-BPM(八)
- ORACLE ADF Summit示例程序的一些问题
- Oracle-BPM(七)
- Oracle-BPM(六)
- oracle EBS上传和下载文件(转)
- Oracle-BPM(五)
- Oracle常用函数TO_CHAR用法详解(转自博客园-小小草博文)
- Oracle-BPM(四)
- oracle监听服务无法启动解决办法
- Oracle 10g RAC Cluster interconnects