Keytool genkey创建证书还是私钥?
[英]Keytool genkey creates certificate or private key?
问题描述
I need a clarification\\confirm for keytool and Keys in general. 
我通常需要对keytool和Keys进行澄清/确认。
Many many sites show this is the way to obtain a keystore with a certificate: 许多站点都显示这是获得带有证书的密钥库的方法:
keytool -genkey -keyalg RSA -alias my-certificate -keystore mykeystore.jks -validity 3600 -keysize 2048
And if u export it your can clearly see: 如果您将其导出,则可以清楚地看到:
-----BEGIN CERTIFICATE-----
MIICVjCCAb8CCAogFQkp...
...rI7KvuXHX2JWNYLdBvC8V6aXAiIb
OaSAB3DoscgOqDh58bw5vEFwjxVo...
-----END CERTIFICATE-----
So this is a certificate indeed. 所以这确实是证书。 But from this can be extracted only public key. 但是从中只能提取公钥。 So we can say that a certificate is Secret key? 那么我们可以说证书是密钥吗?
On the other hand with keytool command: 另一方面,使用keytool命令:
-genkeypair
generates a key pair (a public key and a private key). 生成密钥对(公共密钥和私有密钥)。 Private for the server and public for the others. 服务器专用,其他服务器专用。 So basically certificate\\secret key isn't the same as private key? 因此,基本上,证书\\秘密密钥与私钥不同吗? Both methods get public so basically a certificate is a private key? 两种方法都是公开的,所以基本上证书是私钥?
2 个解决方案
解决方案1
0 2018-02-12 15:15:01
In short keystore contains key pairs, and a key pair consists of a public and a private key. 简而言之,密钥库包含密钥对,并且密钥对由公共密钥和私有密钥组成。 So keytool creates both. 因此,keytool会同时创建两者。
What you call certificate is public key, since private keys is highly confidential to your application server, it should not be transfered insecurely, if possible it is not transfered at all. 您所称的证书是公钥,因为私钥对您的应用程序服务器高度机密,所以不应不安全地进行传输,如果可能的话,也不要进行任何传输。 Which means you should create a keystore in the application server and from that keystore you should extract public key. 这意味着您应该在应用程序服务器中创建一个密钥库,并且应该从该密钥库中提取公钥。 And after it is signed by a certificate authority, it should be added to keystore to create a keychain. 在由证书颁发机构签名后,应将其添加到密钥库中以创建密钥链。
解决方案2
0 2018-02-12 15:39:44
keytool creates two keys, a private key, which you use for signing, encrypting, decrypting, ie anything that needs to be traced back to you. keytool创建两个密钥,一个私钥,您可以使用它进行签名,加密,解密,即需要追溯到您的任何东西。 In order to trace something back to you, to validate your 'identity' you give others your public key certificate. 为了追溯到您,要验证您的“身份”,您需要向他人提供您的公钥证书。 This wraps your public key with identity information. 这将用身份信息包装您的公钥。 If it's a self signed public key certificate then you are saying you are, for example, ServerA but no-one can really verify you're ServerA as ServerA is claiming it's ServerA. 如果它是一个自签名的公钥证书,则表示您是ServerA,但是没有人能真正确认您是ServerA,因为ServerA声称它是ServerA。 To fix this, you export a Certificate Signing Request (CSR) from your keystore and send it to, eg Verisign who validate you are ServerA and then they sign the certificate. 要解决此问题,您可以从密钥库中导出证书签名请求(CSR)并将其发送给,例如,验证您是ServerA的Verisign,然后他们对证书进行签名。 What you end up with is a public key certificate saying you are ServerA and that claim is signed by Verisign using their private key and just about every entity out there has the Verisign public key certificate so they can verify Verisign's signature which means they then trust you as ServerA. 最后得到的是一个公开密钥证书,表明您是ServerA,并且该声明由Verisign使用其私钥签名,并且几乎每个实体都具有Verisign公钥证书,因此他们可以验证Verisign的签名,这意味着他们随后会信任您作为ServerA。 You then distribute your public key certificate and everyone can encrypt messages to you, knowing that you are indeed ServerA, because of the root signature from Verisign. 然后,您分发公钥证书,并且由于Verisign的根签名,每个人都可以加密给您的消息,因为您知道自己确实是ServerA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.