Difference between Entry Type “keyEntry” and “trustedCertEntry” in a keystore

て烟熏妆下的殇ゞ 提交于 2019-12-06 19:05:22

问题


I don't have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.

Case 1(Works):

I have a CA signed certificate and i would like to use it in my Web Application. I first created a keystore. I see that it creates an entry type "keyEntry" in the keystore. Then i import the CA signed certificate to the keystore created.

Here are the steps:

keytool -genkeypair  -keystore keystore.jks

I see an entry in the keystore of type "keyEntry" of alias "mykey"

Now i import the certificate:

keytool -importcert -alias abc -file cert.crt -keystore keystore.jks

Now i see another entry of trype "trustedcertEntry".

With this keystore i am able to access my web application when i uploaded it.

Case 2 (doesn't work):

I create a keystore on the fly while importing the certificate.

keytool -importcert  -alias abc -file cert.crt -keystore keystore2.jks

Here i see only one entry type which is "trustedcertEntry"

With this keystore i am not able to access my web application.

Question:

What is key entry type "keyEntry" and "trustedcertEntry" and why does my keystore works only when i have the entry type "keyEntry"


回答1:


My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.

In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.

I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.

A keyEntry (I think!) is a public/private key pair without the certificate.

A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.



来源:https://stackoverflow.com/questions/28544253/difference-between-entry-type-keyentry-and-trustedcertentry-in-a-keystore

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!