Difference between key pair and self signed certificate using keytool?

Question

Reading through some URLs and it fairly common for stating that the following command is used to create a public/private key pair.

 keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password

Then it continues on and indicates the following command is used to create a self signed certificate.

 keytool -genkey -alias selfsigned -keyalg RSA -keystore keystore.jks -storepass password -validity 360

From what I see, the only difference is adding "-validity 360".

Question 1 - Does simply adding "-validity 360" change from generating a key pair to a self-signed certificate?

Question 2 - Are "key pairs" and "self-signed certificate" essentially synonymous?

Question 3 - could either the key pair or "self-signed certificate" be used for an official CSR?

Answer 1

You're quite right, the self-signed certificate and a CSR request both start with the keytool -genkey command. The difference is what you do with it next.

For a self-signed certificate there's not much more to do. You might to export it, to install as a trusted certificate at the client end, with keytool -export :

keytool -export -alias selfsigned -file selfsigned.cer -keystore keystore.jks -storepass password 

For the CSR request, you would then create this with keytool -certreq :

keytool -certreq -alias mydomain -file mydomain.csr -keystore keystore.jks -storepass password

Up to you with the validity period. It's not crucial for either route, though with a self-signed certificate you'll typically want more than the default of 90 days.

Answer 2

Question 1 - Does simply adding "-validity 360" change from generating a key pair to a self-signed certificate?

No. -genkeypair (the official name since about 2005) or the less accurate synonym -genkey always generates a keypair and a selfsigned certificate, and stores the privatekey and the cert (together) in the keystore. The only difference -validity 360 makes is whether the specified value or the default value is used for the validity period.

Question 2 - Are "key pairs" and "self-signed certificate" essentially synonymous?

No. In this situation they are linked, but they are different things. A keypair, and separate privatekey and publickey, can be used for some things without any certificate (selfsigned or otherwise) using storage other than a Java keystore, and a selfsigned cert (which includes the publickey) can be used for some things without the privatekey. For example SSH normally uses the 'bare' keypair for server authentication and frequently for client authentication. PGP uses a signed-publickey format that functions as a kind of certificate but very much unlike the X.509/PKIX certificates used in a Java keystore, and in SSL/TLS/HTTPS/etc and codesigning (and SMIME).

As an analogy that comes up frequently on travel.SX, consider an airline ticket and a suitcase of clothes. When you buy an airline ticket traditionally it included the ability to have a certain amount of luggage, often a few suitcases up to a weight limit, carried with you on your flight -- though nowadays this varies in widely disliked and contentious ways. It is possible to ride an airplane flight without taking a suitcase if you want, although it means at your destination you may not have any clothes to wear. It is also possible and fairly common to use a suitcase to carry clothes without an airline ticket in many places other than an airplane, such as a car, cab, bus, train, or relative's or friend's house.

Question 3 - could either the key pair or "self-signed certificate" be used for an official CSR?

A key pair could be used to generate a CSR(*) if you provided the subject name from another source. But Java keystore doesn't actually store key pair plus self-signed cert, but rather private key plus self-signed cert (or other cert); the public key is accessibly stored only in the cert, and the public key (from the cert) is needed and used to generate the CSR.

A self-signed cert, or any other cert, by itself cannot be used to generate a CSR(*) because the CSR must be signed using the private key.

(*) Actually CSR is a generic concept and there are many kinds of CSR with varying rules. I am talking here about only the kind of CSR specified by PKCS10 aka RFC2986 et rel , which is the (only) one generated by Java and most other common tools, and the one required by practically all Internet CAs.