InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.3: Understanding how the Keytool utility works >
5.5.6.3.2: Administering key pair entries

5.5.6.3.2: Administering key pair entries

Administrators use the Keytool utility to perform tasks that apply the keystore database or to the keystore entries: key pairs and trusted certificates. Administering a keystore database discusses the tasks that apply to the keystore database; Administering trusted certificates discusses tasks that only apply to trusted certificates entries, and Administering both certificate and key pair entries discusses the tasks that are common to both entry types. Understanding how the Keytool utility works provides conceptual information about the Keytool utility. This article discusses the administrative tasks that apply only to managing key pair entries in a keystore:

Options used with the keytool command provides reference information for the options that are used with the Keytool utility.


Generating a key pair entry

The -genkey option adds data to a keystore or creates the keystore if one does not already exist. It generates a key pair (public key and associated private key) and places the public key in an X.509 v1 self-signed certificate. That certificate is stored as a single-element certificate chain, which is placed, along with the private key, into a new keystore entry. The keystore entry is identified by an alias.

The following command is an example of the use of the -genkey option in combination with other options:

keytool -genkey -dname "cn=Sandra Smith, ou=IBMPITT, o=IBM, c=US"
-alias sandra -keypass acc100 -keystore C:\Winnt\Profiles\sandra
-storepass PITTNV -validity 180

Note that the command must be entered as single line. Multiple lines are used in the example due to space constraints.

This command does the following:

  • It creates a keystore file named sandra in C:\Winnt\Profiles directory and assigns the password PITTNV to the keystore.

  • It generates a public/private key pair for the entity having the Distinguished Name values of Sandra Smith for the common name, IBMPITT for the organizational unit, IBM for the organization. The password acc100 is assigned to the private key.

  • It uses the default DSA key-generation algorithm and creates two keys of 1024 bits, the default length.

  • It uses a default signature algorithm, SHA1withDSA, to create a self-signed certificate that is valid for 180 days.

The -genkey option is combined with the following options:

  • -alias

  • -dname

  • J

  • -keyalg

  • -keypass

  • -keysize

  • -keystore

  • -sigalg

  • -storepass

  • -storetype

  • v

  • -validity

See Options used with the keytool command for a description of these options.


Modifying a key pair entry

Changes can occur that affect the Distinguished Name of a keystore entry, for example, an employee can change departments within the same organization. In such a case, the organization unit (OU) subcomponent of the employee's Distinguished Name is changed. It can be desirable to update an entry's Distinguished Name while still retaining its existing key pair. To do this, follow these steps:

  1. Use the -keyclone option to create a copy of the existing entry.
    keytool -keyclone -alias jane -dest janenew
    

    In the command, the entry identified by the alias jane is cloned and assigned to the destination alias janenew.

  2. Generate a new self-signed certificate with the new department indicated in the Distinguished Name.
    keytool -selfcert -alias janenew
    -dname "CN=Jane Brown, OU=Purchasing, O=IBM, C=US"
    

    Issue this command on a single line; values for the -dname option must be specified in the order shown.

  3. Generate a Certificate Signing Request (CSR) for the changed entry.
    keytool -certreq -alias janenew
    

  4. Import the certificate reply from the Certificate Authority (CA).
    keytool -import -alias janenew -file VSSjanenew.cer
    

  5. Remove the obsolete entry from the keystore.
    keytool -delete -alias jane
    

The combination of the -keyclone and -dest options also can be used to establish multiple certificate chains for a key pair, or for backup purposes.

Go to previous article: Administering a keystore database Go to next article: Administering trusted certificates

 

 
Go to previous article: Administering a keystore database Go to next article: Administering trusted certificates