Java Reference
In-Depth Information
DISTINGUISHED NAME
A standard X.509 structured name, officially identifying
a node in a hierarchical namespace. For our purposes, it's sufficient to recog-
nize a distinguished name (
DN
) as a set of comma-delimited attributes, such
as in the example:
CN=core,O=baz,C=de
. These attributes specify the com-
mon name, organization, and country, respectively. The hierarchical aspect
of this namespace is that it goes from the least significant (but most specific)
attribute to the most significant. The root of the tree for these attributes is the
country, which is then divided into organization, and further divided into
common names within an organization. Order is significant. Two
DN
s with
the same attributes but different order are different
DN
s.
The next thing to do is sign your key pair certificates with themselves. It may sound a
little strange, but this is how you make them root certificates. It's a common thing to
do, as you can see by the fact that the
keytool
command has support for it:
keytool -selfcert -keystore keys.ks -alias core -storepass foobar \
-keypass barbaz -dname "CN=core,O=baz,C=de"
keytool -selfcert -keystore keys.ks -alias third-party \
-storepass foobar -keypass barbaz -dname "CN=third-party,O=baz,C=de"
The only difference from the previous command is that you use
-selfcert
instead
of
-genkey
.
Now you have key pairs that you can use to sign other certificates or bundles to
make them part of your trusted certificate chain. To allow other people to verify your
signatures, you need to extract the certificates from the
keys.ks
keystore and import
them into a new keystore called
certificates.ks
. Why? Because the
keys.ks
key-
store contains your private keys; you need another keystore that contains only your
public keys to share with the outside world. Currently, your certificates are saved as key
entries (a public/private key pair and its certificate) in the keystore. You need to
export them and re-import them as certificate-only entries, which you do like this:
keytool -export -v -keystore keys.ks -alias core \
-file core.cert -storepass foobar -keypass barbaz
keytool -export -v -keystore keys.ks -alias third-party \
-file third-party.cert -storepass foobar -keypass barbaz
keytool -import -v -keystore certificates.ks -alias core-cert \
-file core.cert -storepass foobar -keypass barbaz
keytool -import -v -keystore certificates.ks -alias third-party-cert \
-file third-party.cert -storepass foobar -keypass barbaz
You can verify the contents of your keystores like this:
> keytool -list -keystore certificates.ks -storepass foobar
third-party-cert, 08.01.2010, trustedCertEntry,
fingerprint (MD5): 15:9B:EE:BE:E7:52:64:D4:9C:C1:CB:5D:69:66:BB:29
core-cert, 08.01.2010, trustedCertEntry,
fingerprint (MD5): CE:37:F8:71:C9:37:12:D0:F1:C8:2B:F9:85:BE:EA:61
> keytool -list -keystore keys.ks -storepass foobar
core, 08.01.2010, PrivateKeyEntry,
fingerprint (MD5): CE:37:F8:71:C9:37:12:D0:F1:C8:2B:F9:85:BE:EA:61
third-party, 08.01.2010, PrivateKeyEntry,
fingerprint (MD5): 15:9B:EE:BE:E7:52:64:D4:9C:C1:CB:5D:69:66:BB:29
