All Packages  Class Hierarchy  This Package  Previous  Next  Index

Class sun.security.CertStore 

java.lang.Object
   |
   +----sun.security.CertStore
public final class CertStore
extends Object
implements ExportControl
This utility administers databases of information used to authenticate with JavaSoft's SSL implementation. SSL uses this information when it authenticates on behalf of one of the identities in the database. The authentication information includes both a sequence (chain) of X.509 certificates, and an associated private key. Each such identity is known by an "alias".

The chains of X.509 certificates are provided by organizations called certificate authorities, or CAs. Identities (including CAs) use their private keys to authenticate their association with objects, such as with channels which are secured using SSL, with archives of code they signed, or (for CAs) with X.509 certificates they have issued. As a bootstrapping tool, self-signed certificates may be used until a certificate authority returns a certificate chain.

So long as the private keys (for example, from the database which is administered by this tool) are kept secure, it's reasonable to trust the certified identity associated with such objects. In fact, it is usual that such certificates are not issued without strong technical and legal assurances that the private keys will be kept secure.

The private keys in this database are always stored in encrypted form, to make it difficult to disclose these private keys inappropriately. A passphrase is required to access or modify the database.

These private keys are encrypted using a "passphrase", which should be several words long. You should guard the passphrase extremely carefully! If you lose that passphrase, you will not be able to recover those authentication keys. However, if you let someone else know it, they will either be able to tell you when you forget, or they will be able to masquerade as you without your consent. So you should not tell it to anyone you don't trust to act on your behalf. Misuse of your keys could incur substantial liability for you.

At this time, only signature-capable algorighms (such as RSA and DSS/DSA) are supported. In particular, Diffie-Hellman keys may be used in X.509 certificate chains to authenticate entities in communications, but they are not currently supported through this interface.

See Also:
KeyStore

Method Index

o main(String[])
This class is intended to be used from the command line.

Methods

o main 
 public static void main(String argv[])
This class is intended to be used from the command line. There are three kinds of information that may be given on the command line: This information may be provided in any order. The only option which is required is a database specifier; this can usually be provided as part of an application-specific shell script (or batch file) used to invoke this command. In many environments, the command needs to prompt for the passphrase used to encrypt/decrypt the private keys.
Commands
OptionDescription
-certresp filename Imports a certificate chain, as provided by a certificate authority, into the keystore. This replaces an existing certificate chain, for example one with only a self-signed certificate, or a certificate chain which may no longer be within its validity period. An alias must be specified. Use the csr command to generate a certificate request.
-clone original Creates a new entry, which has the same private key and certificate chain as the original entry. This might be used get multiple certificate chains corresponding to a given keypair, or for backup purposes.
-csr filename Generates a Certificate Signing Request (CSR), using the PKCS #10 format and storing the certificate request in the named file. Such requests are sent to certificate authorities (CAs). CAs will authenticate the certificate requestor (usually off-line) and will return a certificate chain as a response, used to replace the existing (e.g. self-signed) certificate chain. Requires an alias to be specified; the private key and X.500 name associated with that alias are used to create the PKCS10 certificate request. Use the certrespoption to import the CA's response.
-delete Deletes an existing entry, both private key and certificate chain. User confirmation is required for this command.
-help Lists all command-line options.
-list Lists all the entries in the keystore. This command is the default.
-selfcert Generates a new public/private key pair, and authenticates the public key using a single-element certificate chain suitable for use when serving "HTTPS" (HTTP over SSLv3). You will be prompted for some fields to be used in the X.500 name. At this time, this is the only way to create an entry in the keystore, other than cloning an entry. Requires an alias name to be specified; the new self-signed certificate is stored under that alias.
Options to Commands
OptionDescription
-keysize size Specifies the size of the public key to generate using the selfcert command. The default is 768 bits, except in exportable versions (where 512 bits is the maximum allowed by US export laws).
-keytype type Specifies the type of key to use. This defaults to RSA; the keytype must be usable with the signature algorithm.
-signature sigalg Specifies the type of signature used when creating self-signed certificates. This implies use of the appropriate kind of key. Some keys, such as RSA keys, may be used with many kinds of signature algorithms. The default signature algorithm is MD5withRSA. The DSA (DSS) algorithm may also used for some applications.
-validity days Specifies the validity period of a self-signed certificate, in days. This value defaults to ninety days.
-verbose More output than usual is provided.
Database and Alias Specifiers
OptionDescription
-alias name Gives the alias for the certificate chain (and private key) which are of interest. If not supplied, the value ssl-RSA-default is used.
-keystore path Gives the path to the keystore to be used. This parameter must be supplied.

Parameters:
argv - arguments, as described above. 
All Packages  Class Hierarchy  This Package  Previous  Next  Index