Difference between Entry Type “keyEntry” and “trustedCertEntry” in a keystore

Question

I don\'t have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.

Case 1(Works):

I have a CA signed

Answer 1

My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.

In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.

I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.

A keyEntry (I think!) is a public/private key pair without the certificate.

A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.