17

I created Java keystore programmatically of type jks (i.e. default type).
It is initially empty so I created a DSA certificate. 

keytool -genkey -alias myCert -v -keystore trivial.keystore

How can I see the public and private keys?
I.e. is there a command that prints the private key of my certificate?
I could only find keytool -certreq which in my understanding prints the certificate as a whole:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICaTCCAicCAQAwZTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkdyZWVjZTEPMA0GA1UEBxMGQXRo
BQADLwAwLAIUQZbY/3Qq0G26fsBbWiHMbuVd3VICFE+gwtUauYiRbHh0caAtRj3qRTwl
-----END NEW CERTIFICATE REQUEST-----

I assume this is the whole certificate. How can I see private (or public key) via keytool?

4

5 回答 5

8

No, you cannot.
You can access the private key from code, but you cannot export it using the keytool.
Use OpenSSL if you need to export private key.

Another option: you can generate keystore in PKCS12 format. Then you can import it to a browser and then to export the private key.

于 2011-02-05T15:20:05.377 回答
8

您在密钥库中创建了一个私有(和关联的公共)密钥。为了使其真正可用,您可以让认证机构 (CA) 对其进行签名 - 因为这是-certreq命令(您将输出连同一些其他信息和一些钱一起发送给该认证机构,然后他们发回一个证书,然后您可以将其导入您的密钥库。)

不打算查看私钥……您通常不需要这个,因为您在 Java 程序中使用密钥库,而它知道如何使用它。

编辑:由于您想查看您的密钥库,因此这里有一个快速的 Java 程序可以执行此操作:

import java.io.*;
import java.security.*;
import java.security.cert.Certificate;

public class KeyPrinter {

    /**
     * to be invoked with these parameters:
     * 
     * [0]:  keystore-password
     * [1]:  filename
     * [2]:  alias
     * [3]:  entry-Password (if necessary)
     */
    public static void main(String[] params)
        throws IOException, GeneralSecurityException
    {
        char[] storePass = params[0].toCharArray();
        String fileName = params[1];
        String alias = params[2];
        KeyStore.ProtectionParameter entryPass;
        if(params.length > 3) {
        entryPass=new KeyStore.PasswordProtection(params[3].toCharArray());
        } else {
            entryPass = null;
        }

        KeyStore store = KeyStore.getInstance("JKS");
        InputStream input = new FileInputStream(fileName);
        store.load(input, storePass);

        KeyStore.Entry entry = store.getEntry(alias, entryPass);
        System.out.println(entry);

    }
}

首先调用keytool -list -keystore myStore以知道要查找哪个别名,然后使用密码和参数调用此程序。如果是私钥条目,它会显示密钥本身以及包含公钥的自签名证书,以可读的形式。在“受信任的证书”的情况下,它只显示公钥。

于 2011-02-05T15:29:36.693 回答
5 
keytool -list -v -alias myCert -storepass 123456 -keystore file.jks

或者

keytool -list -rfc -alias myCert -storepass 123456 -keystore file.jks

如中所述

keytool -help
于 2017-08-26T01:36:40.627 回答
3

( Portecle ) 是一个非常方便的用于管理密钥库的 GUI 工具。除其他外,它还可以选择导出私钥及其相关证书。

共享您的公钥的常用方法是为您的密钥对共享一个证书(其中包含您的公钥)

于 2011-02-05T21:41:23.850 回答
1

您可以使用keystore-explorer在此处输入图像描述

于 2019-01-17T08:20:29.817 回答