To generate a Certificate Signing Request (CSR) for Apple Mac OS x you will need to create a key pair for your server the public key and private key.

1. Keytool Iui For Macros

Table of Contents. Java keytool/keystore FAQ: Can you share some Java keytool and keystore command examples? As a little bit of background, in creating my software application, I decided to venture into the world of commercial software, selling my app for a whopping 99 cents. While that price is trivial, creating the “software licensing” code for this application was anything but trivial. I finally decided to use a Java licensing tool named TrueLicense to assist with the software licensing, and TrueLicense quickly led me down the path of learning about the Java keytool and keystore path.

So that’s what this article is about: How to use the Java keytool command to work with private and public keys, and work with intermediate certificate files. Java and TrueLicense public key, private key background If you've never used a tool like before, it's important to understand how it works, so you can understand the need for the Java keytool commands below. I won't go into great detail on this, but these are the basic points behind TrueLicense:. You create a private key keystore, which you never (ever) give to anyone. As they mention in, “A keystore is a binary file that contains a set of private keys.

Keytool Iui For Macros

You must keep your keystore in a safe and secure place.”. You work through a couple of steps to distribute a public key keystore with your application. When a customer buys a software license for your application, you create that license file however you want to, and then sign the license with your private key.

(I don’t show that Java code here, but I do show it.). You send the signed license file to your customer. The application you've given your customer must be smart enough to import this signed license file into its environment.

This again requires Java code, which I’ve shared. How this normally works During this process, I think it's also important to note how the digital signing process normally works, i.e., when you're not taking all these steps for a tool like TrueLicense.

In the 'normal' process, two people are usually involved: 1) the person who wants to share their public key, and 2) the person who wants to use the first person's public key. Usually the first person (the “share-er”) does these tasks:. Create the private key keystore file. Export the certificate file from the private key keystore.

Sends the certificate to the second person. Then, the second person normally does this task:. Imports the certificate from the first person into their public key keystore.

Because of the way the TrueLicense software licensing process works, I'm showing one person doing all these tasks here. But if you get confused in the process, just come back to this section, and remember that two people are normally involved in this process. Java keytool and keystore tasks in this tutorial In the remainder of this tutorial I'll demonstrate the following keytool tasks:. How to create a keystore that contains a private key. How to create a temporary certificate from that private keystore.

How to use that certificate to generate a public key keystore. How to query and verify your keystores with the keytool command. Create private key and keystore To get started, the first thing we need to do is create a private key keystore. This is going to be a file on your filesystem, and I'm going to name mine privateKey.store. To create this “private key keystore,” run the following keytool command: $ keytool -genkey -alias ftpKey -keystore privateKey.store This keytool command can be read as:. I want to generate a new private key (genkey).

I want to create an alias for this key named 'ftpKey'. I want to store this information in the file named privateKey.store After you issue this command, keytool prompts you with the following questions.

I have provided my own example answers to these prompts so you can see exactly how this works. (Note: In the commands that follow, the text that the user types is shown in a bold font.) $ keytool -genkey -alias ftpKey -keystore privateKey.store Enter keystore password: foobar What is your first and last name? Unknown: Alvin Alexander What is the name of your organizational unit? Unknown: Application Development What is the name of your organization? Unknown: devdaily.com What is the name of your City or Locality? Unknown: Louisville What is the name of your State or Province?

Unknown: KY What is the two-letter country code for this unit? Unknown: US Is CN=Alvin Alexander, OU=Application Development, O=devdaily.com, L=Louisville, ST=KY, C=US correct? no: yes Enter key password for (RETURN if same as keystore password): 123xyz There are at least a few important points to note here:. The password for accessing the keystore file is 'foobar'. The password for my ftpKey alias is '123xyz'.

Both of these passwords are very important, and you'll see how they are used in the next steps. Generate a temporary certificate file Remember that our end game is to generate a keystore that contains our public key.

To do that, we have to take an intermediate step of creating a 'certificate file' from our private keystore. Another example of creating a keystore I’ve been working with Android a little bit lately, and when you want to release an app to the Android/Google Play Store, you need to sign your app. At the bottom of recommends using this keytool command to create a keystore file: keytool -genkey -v -keystore foo.keystore -alias foo -keyalg RSA -keysize 2048 -validity 10000 I quote from their page, “This example prompts you for passwords for the keystore and key, and to provide the Distinguished Name fields for your key. It then generates the keystore as a file called foo.keystore. The keystore contains a single key, valid for 10000 days. The alias is a name that you will use later when signing your app.” I changed their longer names to “foo,” but that gives you another example of how this works. Java keytool and keystore commands - summary There is much more to be written about the Java keytool command and keystore files, but I'll leave this tutorial at this point until anyone has a question.

The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees CurrCon requires an up-to-date and Java version 1.8, preferably 1.8.0131. If you can’t see the prices in your local currency,. Use Firefox for best results.

Keytool.exe Java version 1.4 or later tool for creating phony self-signed certificates and managing imported for Sun-style Applet signing and Java Web Start. The code signing certificates Sun uses are usually X.509/DER binary format, with the extension.cer. Sometimes they are in X.509/DER BASE64 encoded printable ( American Standard Code for Information Interchange) format, also with the extension.cer. These certificates don’t contain the private key. When certificates are stored in.keystore certificate collections, they do contain the private key. See the entry for where to find your.keystore file.You may have multiple.keystore files.

When running keytool.exe, set the current working directory to the directory where.keystore is so that keytool.exe will know which.keystore you want. Each certificate contains both a private and public key.

It may also contain authority certificates that contain only a public key. When you create a.keystore file, you assign it a password. J: Program Files java jdk1.8.0131 jre lib security cacerts. Contains your authority certificates. Each certificate contains only a public key.

There is only one cacerts. It comes preloaded with the JRE/JDK with root signing authority certificates from Verisign and Thawte. It comes by default with password changeit ( changeme on the Mac). Keystore Formats Usually the.keystore file is stored in Sun JKS ( Java Key Store) format, but keytool.exe is capable of dealing with other formats as well.

Here is how to find out what other formats are supported on your Generating a Real Certificate If you want to buy a real certificate, you first use the -genkey option to generate a private/public key pair in your.keystore file. This can take a while. Then you export the public key as a PKCS#10 certificate request and send it to the certificate authority. To be precise, if you want to buy a certificate from Thawte (who support Put these commands in a ( Batch) file.

It is almost impossible to type them correctly from the command line because they are so long. CN must be a valid domain name, not your first and last name! OU is usually your department, but you could use it for your personal name. O is your organisation. L is your location/city. See the list of C=, S= and S=. Whatever you put in here, you are asking the signing authority to attest to, so don’t put in anything they can’t easily verify.

Make a backup of your.keystore file. See the entry for where to find it.

These have a habit of mysteriously corrupting themselves. If you lose it, you lose your private key and your certificate will become worthless. For a $200.00 USD fee, Thawte will sign your certificate request with their private key and send it back to you in either X.509/DER or preferably the more advanced ( Public- Key Cryptography Standards) #7 format which includes certificate chains. You then import that certificate into your.keystore file and you can then use it for signing your code. To import REM import purchased code-signing cert into cacerts REM Prior to Java 1.6 use -import instead of -importcert keytool -importcert -alias pluginsigner -trustcacerts -file cert.cer REM import purchased code-signing cert into the user directory.keystore keytool -importcert -alias pluginsigner -file cert.cer You don’t import it into your cacerts. This a code-signing certificate, not an authority certificate.

The root Thawte certificate that comes preloaded in your cacerts. File is your authority certificate. Note, you never tell the certificate authority your private key. The certificate request and the certificate they send back do not contain the private key and hence are useless to anyone who does not have access to your private key. Generating a Phony Certificate If you want to create a phony self-signed certificate, the first steps are the similar except you must use the -selfcert option and export the finished PKCS#7 certificate.

Basically, you set yourself up as a miniature certificate signing authority. To be precise: phony is the alias for your cert. That is not a particularly auspicious name. See the where I talk about phony.dsa.

You would be better to choose something dignified that hinted at your company name. Since your clients have never heard of your miniature signing authority, you might try loading the phonycert.p7b into each browser who will use your code as if it were a signing authority. Even after you do that, your code still won’t work because Sun Plug-in looks in the policy. And.keystore files on each client machine to decide if it will let code run. You must update all those client.keystore files with your cert so they would work too.

Creating.keystore Now you can finally sign your code with and have your clients run it. A.keystore file is automatically created whenever you use a -genkey, -import, or -identitydb command to add data to a.keystore that doesn’t yet exist. If you want to create one programmatically // accessing a keystore in Java KeyStore ks = KeyStore. GetInstance ( 'JCEKS', 'SunJCE' ); Updating Root Certificates If your cacerts. File is missing the root signing authority certificate, your purchased cert will behave like a phony-self-signed cert. See for how to get the missing root certificates.

Import them into all your cacerts. Files with Here are places to look for your cacerts. Files: C: Program Files java jre1.8.0131 lib security cacerts. C: Program Files (x86) java jre1.8.0131 lib security cacerts. ' X: Program Files JetBrains IntelliJ IDEA 2017.3 jre jre lib security cacerts.' Other Useful keytool Commands If you screw up, you can start over by deleting your.keystore file, or by deleting the offending entries. Make sure you never delete the private key for one of your paid certificates though!

You can tell if a certificate includes a private key by the way keytool lists it. Signing certificates with private keys will be marked keyEntry.

Authority certificates without private keys will be marked trustedCertEntry. Keytool, however, will not tell you if a certificate is ( Digital Signature Algorithm) or ( Rivest, Shamir and Adelman) and how many bits it is. You can determine that with IBM ( International Business Machines) ’s keyman.

It is best then to choose names of aliases and certificate files e.g. Mindprod2006dsa.cer that will help you remember. Exporting Private Keys Keytool will generate a private key, but won’t import or export one. This is why you can’t easily convert a Sun code signing certificate to a Netscape code signing certificate or vice versa. Mitch Gallant has found a way around this that uses the classes, but it is no longer available.

You must plan ahead and generate your private key in the.keystore where you want to it to finally reside. People not understanding the process so often lose the original private key, or find they can’t move it to where it is needed. This applies even more so to ( Secure Sockets Layer) certificates. Understand the process!. You generate a private key.

You back it up inside the.keystore file. You export the corresponding public key to the certificate authority. They sign it with their private key and return it to you. (They never see your private key.).

You import your signed public key back into your.keystore. Now the pair is ready for use, forever trapped in that.keystore file. Passwords Both the.keystore and cacerts. File are password protected. Password by default is changeit ( changeme on the Mac), which, surprise, you are supposed to change.keystore by default has no password. There are also optional additional password protections on each individual item in the store.

Passwords are case-sensitive and must be at least 6 letters long. Best to include some digits to make them harder to guess. Putting punctuation in them will make it difficult to use them on the command line. Here Backups You need to keep backups of all your key files since the signing authorities won’t replace your certs if you lose your private key. Use a tool like DESCRIBE to label all your files. There are many formats and keytool can only read some of them. Many are binary formats so peeking with a text editor won’t help either.

You will soon become hopelessly confused about what is what if you don’t meticulously label them all. Learning More f.