Relationship between Java cert and keystore

Question

I just used keytool like so:

keytool -genkey -keyalg RSA -alias selfsigned -keystore mykeys.jks -storepass password -validity 360 -keysize 2048

...and then answered all the subsequent questions it prompted me with. This produces a mykeys.jks key store in my local directory.

My question: What is the relationship between this JKS file and the name of the self-signed certificate contained inside of it? Meaning, do I now have an SSL cert named "mykeys" inside this key store?

Bonus question: can a single keystore (JKS file) have more than 1 cert inside of it? If so, how might I add a 2nd SSL cert named, say, my2ndcert to this same JKS file?

Answer 1

when you create a jks file it has a private key entry inside, if you do not specify any alias for key it is myKey by default

you can try listing jks file to see the same key

run

keytool -list -keystore mykeys.jks -storepass <password to mykeys.jks>

Self signed certificate is something which you can export out of this key store using following command

keytool -export -alias <keyalias> -file abc.cer -keystore mykeys.jks -storepass <password to mykeys.jks>

the file abc.cer is a self signed certificate

Bonus Answer : yes your one keystore can have number of keys with different alias and more than one certs also if you import them

Answer 2

First we should clear up some of the terminology. What you created was a private key/public key certificate pair. The public key certificate contains all the information you entered like your email address, name etc and is bound to the private key.

Also think of the JKS file format as a zip file that can store multiple private key/public key certificate pairs and also can store public key certificates by themselves. The JKS files have their own password to open them, and each private key/public key pair has it's own password, but most people set them to be the same password for simplicity.

Now on to your question, inside the keystore the private key you created will be called selfsigned because that's the alias you gave it. You can add more private keys or just public key certifcates by using the same keytool command with the -importcert and -importkeystore flags. http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

I highly recommend you use this tool, http://portecle.sourceforge.net/ to open the jks file and see what's inside.

Answer 3

What is the relationship between this JKS file and the name of the self-signed certificate contained inside of it?

A JKS keystore is a container of certificates, private keys or shared keys. What it exactly contains depends on which commands have been used. You can have multiple entries. Each entry is identified by its alias.

Meaning, do I now have an SSL cert named "mykeys" inside this key store?

No, here, mykeys.jks is just the file name. You can rename this file as you wish, it won't affect its content.

In addition, "certificate name" can have multiple meanings depending on the context.

In general (not specifically within the context of Java keystores) the certificate name would be its Subject Distinguished Name (Subject DN): this is what identifies its subject. This is what's filled in by answering the questions ("What is your first and last name?" and so on), or you can pre-fill this using -dname.

The CN within that Subject DN (also the answer to "What is your first and last name?") is often used by various certificate management tools as the short name for the certificate (if there is a list or table). For a server certificate, it would also be recommended to use the CN as the main host name for the server (it would even be mandatory if you're not using a Subject Alternative Name extension).

You can add additional SAN using the -ext option (e.g. -ext SAN=dns:your.host.name). Using SANs is the recommended way (at all times), but many people don't do it when generating their certificates with keytool (possibly because tutorials rarely mention it, since it was only introduced with the version bundled with Java 7).

keytool -genkey -keyalg RSA -alias selfsigned 
     -keystore mykeys.jks -storepass password -validity 360 -keysize 2048

Bonus question: can a single keystore (JKS file) have more than 1 cert inside of it? If so, how might I add a 2nd SSL cert named, say, my2ndcert to this same JKS file?

What -genkey (renamed -genkeypair in more recent versions) does is create a key-pair and also wrap the public key into a self-signed certificate. It will put it in the selfsigned alias entry (in your example).

If mykeys.jks didn't exist, it will be created. If it already exists, it will be modified (only if the store password matches the password of the existing file of course).

You can use other alias names if you wish. You can also import certificates (without a private key) using -importcert (or -import).

keytool -list will list the content of a keystore, including private key entries, or certificate entries, all with their respective alias names.

Note that, if you're going to use a certificate that isn't self-signed, you'll need to generate a certificate request from that key pair you've generated, and re-import the certificate issued by your CA into that alias (in fact, you'll need to import the full chain in that entry if a chain is required). This will overwrite the self-signed certificate initially created with -genkeypair.