private key, public key and certificates relationship and best way to access specific certificate from keystore

Question

I used below keytool command:

keytool -genkey -alias <alias name> -keypass <keypassword> -keystore <keystore file name with location> -keyalg "RSA" -sigalg SHA1WITHRSA

Then I looked into keystore contents using below command:

keytool -list -v -keystore <keystore file name with location>

It displays below contents:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: keyalias
Creation date: Nov 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=XXXXX, OU=SDG, O=XXXXX, L=XXXXX, ST=XX, C=IN
Issuer: CN=XXXXX, OU=SDG, O=XXXXX, L=XXXXX, ST=XX, C=IN
Serial number: 6c6ec57a
Valid from: Thu Nov 23 14:30:35 IST 2017 until: Wed Feb 21 14:30:35 IST 2018
Certificate fingerprints:
MD5:  85:08:01:27:BF:CA:88:17:88:11:9D:E4:DF:DC:70:AD
SHA1: 6D:14:08:BD:F6:4E:51:C2:A0:58:46:89:CC:85:06:BC:26:DA:23:4E
SHA256: D6:94:A8:31:2F:5D:29:FA:29:5F:8C:5D:24:D0:8E:47:D4:17:4C:B8:8A:
D8:A2:37:3F:18:24:5A:06:C1:E4:CB
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
    KeyIdentifier [
        0000: 50 AD ED B0 1D 3D 12 AE   D4 C0 C7 EE 9F EE 43 11  P....=........C.
        0010: F4 71 02 93                                        .q..
    ]
]

*******************************************
*******************************************

As I can see only a single entry in the keystore. Looking to get answers for the followings:

1. Where is the public key?

2. I can also see a certificate whereas I didn't create the same. If I need to access this certificate in java code then do I need to use the key alias or can I set any separate alias to access this certificate?

It will be great help if someone can explain how private key, public key and certificates are linked in a key store and how a specific certificate can be accessed from a keystore (assuming keystore is having multiple certificates).

Answer 1

keytool -genkey -alias

good, you've just created a KeyPair.

The keytool command creates a keypair with a self-signed certificate. Indeed, in the same alias you have a PrivateKey, and X509 Certificate (PublicKey + some attributes)

Where is the public key?

In this case the public key is wrapped inside the certificate.

If I need to access this certificate in java code then do I need to use the key alias or can I set any separate alias to access this certificate?

following code returs the certificate and public key from the keypair

KeyStore.PrivateKeyEntry privKeyEntry = (KeyStore.PrivateKeyEntry)keystore.getEntry(KEYSTORE_ALIAS, new KeyStore.PasswordProtection(KEYSTORE_KEY_PASSWORD.toCharArray()));

PublicKey pubKey = privKeyEntry.getCertificate().getPublicKey();

It will be great help if someone can explain how private key, public key and certificates are linked in a key store

apparently you've already found out :)

Answer 2

Just replying to own question, may be helpful to others also.

The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in Certificate. To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers.

To access the certificate from the Private Key, you need to use the Private Key alias which can be found publically when listing the contents of keystore.