Use the given algorithm to generate the signature in the self−signed certificate. −validity nDays The number of days for which the self−signed certificate is valid. The default is 90 days. The −keyclone command is often used with this command, which can create a copy of the original entry before the DN is changed: −keyclone Clone the target entry. The cloned entry will have the same private key and certificate chain as the original entry. This command supports the following global options: −alias alias −keypass keypass −keystore keystore −storepass storepass −storetype storetype −v It also supports these options: −dest newAlias The new alias name of the cloned entry. If this is not specified, you will be prompted for it. −new newPassword The new password for the cloned entry. If this is not specified, you will be prompted for it. Again, it is more secure to respond to a prompt because the password is masked than it is to supply it in plain text at the command line. To change the password associated with a particular key entry, use this command: −keypasswd Change the password for the given key entry. This command supports the following global options: −alias alias −keystore keystore −storepass storePassword −storetype storetype −keypass originalPassword It also supports this option: −new newPassword Specify the new password for the entry. If this option is not supplied, you will be prompted for the new password. Changing the password is one way to migrate entries from a JKS to a JCEKS keystore since you can specify a Chapter 10. Key Management new storetype when you do so: piccolo keytool −keypasswd −alias sdo −storetype jceks If you began with a JKS keystore, youll end up with a JCEKS keystore after this command. Note that you can use this trick with other commands e.g., the storepasswd command; anything that writes out a new keystore will change its format. However, the advantage of the JCEKS keystore is that the password associated with key entries is strongly encrypted, and the key entry password will not be reencrypted by other commands. Hence, to convert effectively between JKS and JCEKS, you must use the keypasswd command for each key alias in your keystore.

10.2.7 Deleting Keystore Entries

There is a single command to delete either a key entry or a certificate entry: −delete Delete the entry of the specified alias. If a certificate entry for a certificate authority is deleted, there is no effect upon key entries that have been validated by the authority. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v

10.2.8 Examining Keystore Data

If you want to examine one or more entries in the keystore, you may use the following commands: −list List to System.out one or more entries in the keystore. If an alias option is given to this command, only that alias will be listed; otherwise, all entries in the keystore are listed. You do not need to know the password for the keystore to use this command. This command supports the following global options: −alias alias −keystore keystore −storepass storepass −storetype storetype −v It also supports this option: −rfc When displaying certificates, display them in RFC 1421 standard. This option is incompatible with the −v option.