Index: enhanced/classlib/trunk/doc/tools/Keytool/Keytool_help.html =================================================================== --- enhanced/classlib/trunk/doc/tools/Keytool/Keytool_help.html (revision 0) +++ enhanced/classlib/trunk/doc/tools/Keytool/Keytool_help.html (revision 0) @@ -0,0 +1,305 @@ + + + +
+ + +|
+
+Short description. +Keytool is a tool for managing key pairs, secret keys and certificates. + + + +Keytool usage + + +keytool {-<command_name>} {-<command_option>} {<option_value>}... -J<java_option> + +Description + + +Keytool is an utility that lets users to manage keys and X.509 certificates which are used for authentication of an entity or self-authentication. + +The tools stores the certificates and keys in database which is called keystore. Keystore is usually implemented as a file and protected with password. + + +Default values of the options +-alias "mykey" + +-cacerts {JAVA_HOME}/lib/security/cacerts +-cacertspass "changeit" + + +-certserial random integer value + + +-convkeystore {USER_HOME}/{keystore_type_to_convert_to}_converted.keystore, + E.g. "C:\users\Joe\jks_converted.keystore" +If a file with such name already exists, an index is +added to the end of the file name: {USER_HOME}/{keystore_type_to_convert_to}_converted_{index}.keystore, +e.g. "C:\users\Joe\jks_converted_1.keystore" +-convstorepass password for main keystore + +-file stdin for input, stdout for output + + +-keyalg "DSA" + + +-keysize 1024 + + +-keystore {USER_HOME}/.keystore + + +-sigalg "SHA1withDSA" if certificate issuer's private key algorithm is "DSA" or "MD5withRSA" if key algorithm is "RSA" + +-storetype value of "keystore.type" property in {JAVA_HOME}/lib/security/java.security file + + +-validity 90 +-x509version 3 +-certprovider, -keyprovider, -mdprovider, -sigprovider, -ksprovider, -convprovider the provider which name is noted after -provider option if any.
+
+ Default command is -help. + + +Common options + + +-keystore keystore -storetype store_type -storepass store_password -cacerts cacerts -cacertspass cacerts_password -provider provider_name Commands + +-certreq {-alias <alias>} {-file <csr_file>} + {-sigalg <signature_algorithm>} {-keypass <key_password>} {-sigprovider + <signature_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Generates a Certificate Signing Request (CSR). The request is generated based on data taken from keystore entry associated with <alias> given. The certificate request is printed to a file <csr_file>, if its name is supplied, or otherwise printed to stdout. + + + ++ -checkcrl {-file <certificate_file>} {-crlfile <crl_file>} + {-certprovider <cert_provider_name>} {-mdprovider <MD_provider_name>} {-ksprovider + <keystore_provider_name>} {-provider <provider_name>} {-keystore <keystore_path>} + {-storepass <store_password>} {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} + {-cacertspass <cacerts_password>} + + +Checks if the certificate given in the <certificate_file> is contained in the CRL which is stored in the <crl_file> file. If the file name is not given, stdin is used. + + + ++ -convert {-convtype <result_type>} {-convkeystore <result_store>} + {-convstorepass <result_store_pass>} {-convkeys} {-convprovider <convert_provider_name>} + {-ksprovider <keystore_provider_name>} {-provider <provider_name>} + {-keystore <keystore_path>} {-storepass <store_password>} {-v} {-storetype + <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Converts keystore to type <result_type> and saves it to <result_store> and protects with password <result_store_pass>. If <result_store_pass> is not set <store_password> is used. If "-convkeys" option has been specified, an attempt to convert key entries is performed. Only entries with password equal to keystore password are converted. + + + ++ -delete {-alias <alias>} {-ksprovider + <keystore_provider_name>} {-provider <provider_name>} {-keystore <keystore_path>} + {-storepass <store_password>} {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} + {-cacertspass <cacerts_password>} + + +Removes from the keystore the entry associated with <alias>. + ++ -export {-rfc | -v} {-alias + <alias>} {-file <certificate_file>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Reads an X.509 certificate associated with <alias> and prints it into the given <certificate_file>. If The file name is not given, the certificate is printed to stdout. If -rfc option is used, the certificate is printed in printable BASE64 encoding (PEM) otherwise it is printed in binary encoding (DER). Both "-rfc" and "-v" options may not be specified. + + + ++ -genkey {-alias <alias>} {-keyalg + <key_algorithm>} {-keysize <key_size>} {-sigalg <signature_algorithm>} + {-validity <validity_period>} {-dname <X500_distinguished_dname>} + {-x509version <X509_version>} {-ca} {-certserial <cert_serial_number>} + {-secretkey} {-keypass <key_password>} {-issuer <issuer_alias>} {-issuerpass + <issuer_password>} {-keyprovider <key_provider_name>} {-certprovider <cert_provider_name>} + {-sigprovider <signature_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Generates a key pair or a secret key. + -help {<command_name>} +If no command name is given shows the list of the commands with their short descriptions. If a command name is given shows the usage of the command and its description. + + + ++ -import {-alias <alias>} {-file <certificate_file>} + {-noprompt} {-trustcacerts} {-keypass <key_password>} {-cacerts <cacerts_path>} + {-cacertspass <cacerts_password>} {-certprovider <cert_provider_name>} + {-mdprovider <MD_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} +Reads an X.509 certificate or a PKCS#7 formatted certificate chain from the file <certificate_file> and puts it into the entry identified by <alias>. If the input file is not specified, the certificates are read from the standard input. If <alias> already exists the imported certificate chain is interpreted as a reply to CSR generated for the certificate associated with <alias>, otherwise it is considered to be a trusted certificate. If "-noprompt" option is specified, the certificate is added to the keystore even if an equal certificate is in keystore or the certificate issuer's certificate is not contained in keystore (and in cacerts if "-trustcacerts" option is specified), otherwise the user is asked to confirm that the certificate should be imported. + + + ++ -keyclone {-alias <alias>} {-dest + <dest_alias>} {-new <new_password>} {-keypass <key_password>} {-ksprovider + <keystore_provider_name>} {-provider <provider_name>} {-keystore <keystore_path>} + {-storepass <store_password>} {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} + {-cacertspass <cacerts_password>} + + +Copies the key and the certificate chain (if any) from the keystore entry identified by <alias> into a newly created one with alias <dest_alias> and protected with password <new_password>. If any of <dest_alias> or <new_password> is not specified it is prompted for. + + + ++ -keypasswd {-alias <alias>} {-keypass + <old_key_password>} {-new <new_password>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Changes the key password of the entry associated with alias <alias> to <new_password>. + + + ++ -list {-rfc | -v} {-alias <alias>} + {-mdprovider <MD_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Prints the contents of the entry associated with the <alias>. If no alias is specified, the contents of the entire keystore are printed. If -rfc option is used, certificates are printed in printable BASE64 encoding (PEM) otherwise they are printed in binary encoding (DER). Both "-rfc" and "-v" options may not be specified. + + + ++ -printcert {-v} {-file <certificate_file>} + {-certprovider <cert_provider_name>} + {-mdprovider <MD_provider_name>} {-provider <provider_name>} +Prints the detailed description of a certificate contained in file <certificate_file> in a human-readable format: its owner and issuer, serial number, validity period and fingerprints. Keystore is not used. + + + ++ -selfcert {-alias <alias>} {-dname + <X500_distinguished_dname>} {-validity <validity_period>} {-sigalg <signature_algorithm>} + {-keypass <key_password>} {-ca} {-certserial <cert_serial_number>} {-sigprovider + <signature_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Generates an X.509 (v1, v2, v3) self-signed certificate using a key pair associated with <alias>. If X.500 Distinguished Name is supplied it is used as both subject and issuer of thecertificate. Otherwise the distinguished name associated with alias is used. Signature algorithm, validity period and certificate serial number are taken from command line if defined there or from the keystore entry identified by alias. If "-ca" option is specified, generated certificate will can be used for signing another certifictes. If "-secretkey" option is specified, a secret key will be generated instead of key pair and a certificate which are generated by default. + + + ++ -storepasswd {-new <new_password>} + {-ksprovider <keystore_provider_name>} {-provider <provider_name>} + {-keystore <keystore_path>} {-storepass <store_password>} {-v} {-storetype + <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +Changes the keystore password to <new_password>. + + + ++ -verify {-file <certificate_file>} + {-crlfile <crl_file>} {-trustcacerts} {-cacerts <cacerts_path>} {-cacertspass + <cacerts_password>} {-certprovider <cert_provider_name>} {-sigprovider <signature_provider_name>} + {-mdprovider <MD_provider_name>} {-ksprovider <keystore_provider_name>} + {-provider <provider_name>} {-keystore <keystore_path>} {-storepass <store_password>} + {-v} {-storetype <store_type>} {-cacerts <cacerts_path>} {-cacertspass <cacerts_password>} + + +A cerificate chain is built by looking up the certificate of the issuer of the current certificate. If a sertificate is self-signed it is assumed to be the root CA. After that the certificates are searched in the lists of revoked certificates. Certificate signatures are checked and certificate path is built in the same way as in import operation. If an error occurs the flow is not stopped but an attempt to continue is made. The results of the verification are printed to stdout.
+
+ |
+
+ A draft of description of Keytool utility. ++