Exporting a Certificate Authenticating Your Public Key example using keytool in Java

By: Lakshmi Viewed: 153229 times  Printer Friendly Format    


Suppose you have used the jarsigner tool to sign a Java ARchive (JAR) file. Clients that want to use the file will want to authenticate your signature.

One way they can do this is by first importing your public key certificate into their keystore as a "trusted" entry. You can export the certificate and supply it to your clients. As an example, you can copy your certificate to a file named MJ.cer via the following, assuming the entry is aliased by "mykey":

    keytool -exportcert -alias mykey -file MJ.cer

Given that certificate, and the signed JAR file, a client can use the jarsigner tool to authenticate your signature.

Changing Your Distinguished Name but Keeping your Key Pair

Suppose your distinguished name changes, for example because you have changed departments or moved to a different city. If desired, you may still use the public/private key pair you've previously used, and yet update your distinguished name. For example, suppose your name is Tuck Lee, and you created your initial key entry with the alias tLee and the distinguished name

  "cn=Tuck Lee, ou=Finance Department, o=BlueSoft, c=us"

Suppose you change from the Finance Department to the Accounting Department. You can still use the previously-generated public/private key pair and yet update your distinguished name by doing the following.

First, copy (clone) your key entry:

    keytool -keyclone -alias tLee -dest tLeeNew

(This prompts for the store password and for the initial and destination private key passwords, since they aren't provided at the command line.) Now you need to change the certificate chain associated with the copy, so that the first certificate in the chain uses your different distinguished name. Start by generating a self-signed certificate with the appropriate name:

    keytool -selfcert -alias tLeeNew
      -dname "cn=Tuck Lee, ou=Accounting Department, o=BlueSoft, c=us"

Then generate a Certificate Signing Request based on the information in this new certificate:

    keytool -certreq -alias tLeeNew

When you get the CA certificate reply, import it:

    keytool -import -alias tLeeNew -file VStLeeNew.cer

After importing the certificate reply, you may want to remove the initial key entry that used your old distinguished name:

    keytool -delete -alias tLee


Most Viewed Articles (in Java )

Latest Articles (in Java)

Comment on this tutorial