Monday, 12 July 2010

Generating Key Store and Trust Store using Keytool

What is a keytool?
Keytool is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.

What is a keystore?
Keytool stores the keys and certificates in a keystore. The default keystore implementation implements the keystore as a file. It protects private keys with a password. A keystore contains private keys, and the certificates with their corresponding public keys. A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity. There are various types of keystores available, including "PKCS12" and Sun's "JKS.

In PeopleTools 8.49 keytool is located in PS_HOME/jre/bin

Generating public/private key pair using keytool
keytool -genkey -alias hrms -keyalg RSA -keystore pskey.keystore -storetype JKS

hrms - it is alias name, any name can be entered to identify the server or instance
pskey.keystore - name of the keystore

After running this command , several user input are required regarding the site to generate the keypair. These values are unique for every site.
The keypair that is generated has both public and private key combination. If we want to share out public key with other sites for authentication and communication purposes we need to export the public key from the keystore and share it. Other party needs to import this public key in their keystore.

Exporting public key from keypair
keytool -export -alias hrms -keystore pskey.keystore -rfc -file pshrms.cert
Enter keystore password:

Public key is exported in a form of certificate file which can be shared with another party. While exporting public key, password for keystore is required that was created in previous command.
This is also a self signed certificate. Ideally one should a signed certificate from a CA eg. Verisign, Geo Trust etc.

What is a TrustStore?
A truststore is a keystore which is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.
An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.

Creating TrustStore and importing public key

keytool -import -alias hrms -file pshrms.cert -storetype JKS -keystore hrms.truststore

Using the above command, you can also import public certificates from other sites.

To view contents of a cert in keystore
keytool -printcert -file pshrms.cert


Read more about keystore, PKI and public key at these links:
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://download.oracle.com/docs/cd/E17476_01/javase/1.3/docs/tooldocs/win32/keytool.html
http://en.wikipedia.org/wiki/Public-key_cryptography

No comments:

Get our exclusive subscription-only PeopleSoft tips once per month!

How was the blog? Help us in getting better