Key tols in java security
There are two built-in tools for working with keys, certificates, and key stores:
keytool is used to create and manage key stores. It can
- Create public/private key pairs
- Display, import, and export X.509 v1, v2, and v3 certificates stored as files
- Create self-signed certificates
- Issue certificate (PKCS#10) requests to be sent to CAs
- Import certificate replies (obtained from the CAs sent certificate requests)
- Designate public key certificates as trusted
The jarsigner tool is used to sign JAR files, or to verify signatures on signed JAR files. The Java ARchive (JAR) file format enables the bundling of multiple files into a single file. Typically a JAR file contains the class files and auxiliary resources associated with applets and applications. When you want to digitally sign code, you first use keytool to generate or import appropriate keys and certificates into your key store (if they are not there already), then use the jar tool to place the code in a JAR file, and finally use the jarsigner tool to sign the JAR file. The jarsigner tool accesses a key store to find any keys and certificates needed to sign a JAR file or to verify the signature of a signed JAR file. Note: jarsigner can optionally generate signatures that include a timestamp. Systems (such as Java Plug-in) that verify JAR file signatures can check the timestamp and accept a JAR file that was signed while the signing certificate was valid rather than requiring the certificate to be current. (Certificates typically expire annually, and it is not reasonable to expect JAR file creators to re-sign deployed JAR files annually.)
