【 Handling + Notes 】 How to use keytool

Use keytool to generate a key pair

1. Generate a key pair

G:>keytool -genkeypair ^
More? -alias own-alias ^
More? -keyalg RSA ^
More? -keypass password ^
More? -sigalg SHA256withRSA ^
More? -dname "cn=zolmk,ou=zolmk,o=zolmk,l=HN,st=HN,c=CN" ^
More? -validity 3650 ^
More? -keystore keystore.jks ^
More? -storetype JKS ^
More? -storepass password
Copy the code

Parameter description:

• -genkeypair: the original-genkey, changed after Java 1.6, to generate a key pair
• -alias: Generates an alias. Each keystore is associated with a unique alias, which is case insensitive
• -keyalg: Specifies the algorithm for generating the key
• -keypass: Specifies the password for the alias entry (the password for the private key)
• -sigalg: Indicates the name of the signature algorithm
• -dname: unique discriminant, CN owner name, OU organization name, O organization name, L city or region name, ST state or province name, c two-letter country code
• -validity: Valid days
• -keystore: Name of the keystore
• -storetype: Type of the key store
• -storepass: Password of the keystore

2. View the key store

keytool -list -v -keystore keystore.jks -storepass "password"
Copy the code

• -list: Lists the entries in the keystore
• -v: Detailed output
• -keystore: Key store file

Keytool all commands

-certreq Generates a certificate request -ChangeAlias Changes the alias of an entry -delete Deletes an entry -exportcert Exports a certificate -genkeypair generates a keypair -gensecKey generates a key -gencert Generates a certificate based on a certificate request -importCert Imports a certificate or certificate chain -importPass imports a password -importKeystore imports one or all entries from other key stores -keypasswd Changes the key password of the entry -list lists the entries in the keystore -printcert -printCertreq Prints the content of the certificate request. -printcrl Prints the content of the CRL file. -storepasswd Changes the storage password of the key storeCopy the code

1) Second-level command parameters

-listLists the entries in the keystore

-rfc output in RFC style -alias <alias> alias of the item to be processed -keystore <keystore> name of the keystore -storepass <arg> password of the keystore -storetype <storetype> type of the keystore -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provider parameter -providerpath < pathList > provides side classpath -v verbose output -protected password through the protected mechanismCopy the code

-genkeypair Generating a key pair

-alias <alias> Alias of the item to be processed -keyalg <keyalg> Name of the key algorithm -keysize <keysize> size of the key bit -sigalg <sigalg> Name of the signature algorithm -destAlias < destAlias > Target alias -dname <dname> unique discriminant name -startdate <startdate> certificate validity startdate/time -ext <value> x. 509 extension -validity <valDays> validity days -keypass <arg> key password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> Providerclass < ProviderClass > ProviderClass name -providerarg <arg> ProviderPath < pathList > Providerclasspath -v verbose output -protected Password through a protected mechanismCopy the code

-genseckey Generate the key

-alias <alias> alias of the entry to be processed -keypass <arg> key password -keyalg <keyalg> name of the key algorithm -keysize <keysize> size of the key bit -keystore <keystore> name of the keystore -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> Provide party class name -providerarg <arg> Provide party parameter -providerPath < pathList > Provide party classpath -v verbose output -protected Password through the protected mechanismCopy the code

-certreqGenerating a Certificate Request

-alias <alias> alias of the entry to be processed -sigalg <sigalg> signature algorithm name -file <filename> output filename -keypass <arg> key password -keystore <keystore> keystore name -dname <dname> unique discriminant name -storepass <arg> password of the key store -storetype <storetype> key storetype -providername <providername> providername -ProviderClass < ProviderClass > Provides the class name -providerarg <arg> provides the parameter -providerPath < pathList > Provides the class path -v details -protected Password through a protected mechanismCopy the code

-changealiasChange the alias of the entry

-alias <alias> alias of the entry to be processed -destalias <destalias> target alias -keypass <arg> key password -keystore <keystore> keystore name -storepass <arg> Keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provides the side parameter -providerPath < pathList > provides the side classpath -v verbose output -protected password through the protected mechanismCopy the code

-delete Delete the item

-alias <alias> Alias of the entry to be processed -keystore <keystore> Keystore name -storepass <arg> keystore password -storeType < storeType > Keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provider parameter -providerpath <pathlist> provider classpath -v Detail output -protected Password through the protected mechanismCopy the code

-exportcert Export certificate

-rfc output in RFC style -alias <alias> alias of the item to be processed -file <filename> output filename -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> Providerpath < pathList > Providerclasspath -v verbose output -protected password through the protected mechanismCopy the code

-gencertGenerate a certificate based on the certificate request

- RFC output in RFC style -infile <filename> input filename -outfile <filename> output filename -alias <alias> alias of the item to be processed -sigalg <sigalg> signature algorithm name -dname <dname> unique discriminant name -startdate <startdate> certificate validity startdate/time -ext <value> x. 509 extension -validity <valDays> valid days -keypass <arg> Key password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -ProviderClass < ProviderClass > Provides the class name -providerarg <arg> provides the parameter -providerPath < pathList > Provides the class path -v details -protected Password through a protected mechanismCopy the code

-importcertImport a certificate or certificate chain

-noprompt does not prompt -trustcacerts Trusts the certificate from cacerts -protected password through the protected mechanism -alias <alias> alias of the entry to be processed -file <filename> Input filename -keypass <arg> key password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provider parameter -providerpath <pathlist> provider classpath -v Detailed outputCopy the code

-importpassThe import password

-alias <alias> alias of the entry to be processed -keypass <arg> key password -keyalg <keyalg> name of the key algorithm -keysize <keysize> size of the key bit -keystore <keystore> name of the keystore -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> Provide party class name -providerarg <arg> Provide party parameter -providerPath < pathList > Provide party classpath -v verbose output -protected Password through the protected mechanismCopy the code

-importkeystoreImport one or all entries from other keystores

-srckeystore <srckeystore> Source keystore name -destkeystore <destkeystore> Target keystore name -srcstoreType < srcstoreType > Source keystore type -deststoreType < deststoreType > Target key storetype -srcstorePass <arg> source key store password -deststorepass <arg> Target key store password -srcprotected protected source key store password - srcProviderName < srcProviderName > Source keystore providername - destProviderName < destProviderName > Target keystore providername - srCalias < srCalias > Source alias -destalias <destalias> target alias -srckeypass <arg> source key password -destkeypass <arg> target key password -noprompt noprompt -providerclass < ProviderClass > Provides the party class name - Providerarg <arg> provides the party parameter - ProviderPath < pathList > Provides the party classpath -v details outputCopy the code

-keypasswdChange the key password for an entry

-alias <alias> alias of the entry to be processed -keypass <arg> key password -new <arg> new password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provider parameter -providerPath < pathList > provides the side classpath -v verbose outputCopy the code

-printcertPrinting certificate Content

-rfc Output in RFC style -file <filename> Input filename -sslServer <server[:port]> SSL server host and port -jarfile <filename> Signed JAR file -v Detailed outputCopy the code

-printcertreqPrints the contents of the certificate request

-file <filename> Input filename -v Detailed outputCopy the code

-printcrlPrints the contents of a CRL file

-file <filename> Input filename -v Detailed outputCopy the code

-storepasswdChange the store password for the keystore

-new <arg> new password -keystore <keystore> keystore name -storepass <arg> keystore password -storetype <storetype> keystore type -providername <providername> providername -providerclass <providerclass> providerclass name -providerarg <arg> provider parameter -providerpath <pathlist> provider classpath -v Detailed outputCopy the code

Four, simple use

pk8 +Generate the keytool x509. Pem

The files to prepare, pk8,x509.pem, also need to install OpenSSL

• Step 1: Install OpenSSL
• Step 2: Use OpenSSL to generate a PEM
• Step 3: Use OpenSSL and the generated PEM to generate a keystore. The password is Android and the generated keystore file is output.keystore
• Step 4: Use keytool to change the storage password to Android

openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out out.pem
timeout /T 3
openssl pkcs12 -export -in platform.x509.pem -inkey out.pem -out platform.p12 -password pass:keyPassword -name keyAlias
timeout /T 3
keytool -importkeystore -deststorepass password -destkeystore output.keystore -srckeystore platform.p12 -srcstoretype  PKCS12 -srcstorepass keyPassword
timeout /T 3
keytool -v -keystore output.keystore -storepasswd -storepass password -new storePassword
timeout /T 3
Copy the code

This can be used in android signatures

release {
      storeFile file("output.keystore")
      storePassword "storePassword"
      keyAlias "keyAlias"
      keyPassword "keyPassword"
    }
Copy the code