−export Export the certificate for the given alias to a given file. The certificate is exported in RFC 1421 format. If the target alias is a certificate entry, that certificate is exported. Otherwise, the first certificate in the target key entrys certificate chain will be exported. If you need to send your certificate to another entity, you send it the file created by this command. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −file outputFile The file in which to store the certificate. The default is to write the certificate to System.out . −printcert Print out a certificate. The input to this command must be a certificate in RFC 1421 format; this command will display that certificate in readable form so that you may verify its fingerprint. Unlike all other commands, this command does not use the keystore itself, and it requires no keystore passwords to operate. It supports the following global option: −v It also supports this option: −file certificateFile The file containing the RFC 1421 format certificate. The default is to read the certificate from System.in .

10.2.9 Miscellaneous Commands

There are two remaining commands to keytool . The first allows you to change the global password of the keystore: −storepasswd Change the global password of the keystore. This command supports the following global options: −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −new newPassword The new global password for the keystore. If you do not specify this value, you will be prompted for it, which is more secure. Finally, you can get a summary of all commands with this command: −help Print out a summary of the usage of keytool .

10.2.10 Using Certificates from Netscape

If you have certificates that youve used in your Netscape browser, you can export them and use them with your Java programs as well. This is accomplished using the PKCS12 keystore format. As we mentioned, this is presently a one−way operation: you can read a PKCS12 keystore and export a certificate from it, but you cannot create or modify a PKCS12 keystore. The steps to accomplish this are as follows: Export your certificate from Netscape. The exact details of this vary by Netscape release, but under the Tools menu, select Security Info in Netscape 6, its called Personal Security Manager. Select your certificate, and then export it. You can export it to any file; the normal extension to use for the file is .p12. 1. Read the keystore. If you exported the certificate to a file called sdocer.p12, this command will list the certificate: piccolo keytool −list −keystore sdocer.p12 −storetype pkcs12 Enter keystore password: Keystore type: pkcs12 Keystore provider: SunJSSE Your keystore contains 1 entry: scott oakss verisign, inc. id, Sat Dec 30 18:39:54 EST 2000, keyEntry, Certificate fingerprint MD5: 4D:09:08:11:95:FC:33:1C:6D:B1:15:2D:C3:FB:87:F8 2. Export and import the certificate, if desired. If you use the export command to export the certificate, you may import it into a JKS or JCEKS keystore. Besides integrating it into a single source, this allows you to make modifications to the entry, such as changing its password and alias. 3.

10.3 The Key Management API

The keytool gives us the ability to create keys, obtain certificates, and so on. Now well turn our attention to using the key management facilities programatically: if you need to create a digital signature, youll use the key management API to locate the correct key. Similarly, you may choose to store secret keys for data encryption in the keystore. The key management API allows us to read and write keystores and their entries. In addition, the implementation of keytool has certain limitations: it cannot create entries that store secret keys, and it is difficult to share the keys in a keytool database among a widely dispersed group of people like all the employees of XYZ Corporation. We can, however, use the key management API to create a key management system that has whatever features we require. That framework is the ultimate goal of the following sections. First, however, lets take a look at the classes 188