Difference between Entry Type "keyEntry" and "trustedCertEntry" in a keystore

certificate ssl-certificate keystore keytool jks
31,695

My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.

In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.

I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.

A keyEntry (I think!) is a public/private key pair without the certificate.

A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.

Share:
31,695
bluefoggy
Author by

bluefoggy

Linux Enthusiast, loves open source and python programming.

Updated on October 29, 2020

Comments

  • bluefoggy
    bluefoggy over 3 years

    I don't have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.

    Case 1(Works):

    I have a CA signed certificate and i would like to use it in my Web Application. I first created a keystore. I see that it creates an entry type "keyEntry" in the keystore. Then i import the CA signed certificate to the keystore created.

    Here are the steps:

    keytool -genkeypair  -keystore keystore.jks

    I see an entry in the keystore of type "keyEntry" of alias "mykey"

    Now i import the certificate:

    keytool -importcert -alias abc -file cert.crt -keystore keystore.jks

    Now i see another entry of trype "trustedcertEntry".

    With this keystore i am able to access my web application when i uploaded it.

    Case 2 (doesn't work):

    I create a keystore on the fly while importing the certificate.

    keytool -importcert  -alias abc -file cert.crt -keystore keystore2.jks

    Here i see only one entry type which is "trustedcertEntry"

    With this keystore i am not able to access my web application.

    Question:

    What is key entry type "keyEntry" and "trustedcertEntry" and why does my keystore works only when i have the entry type "keyEntry"

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Where the KeyStore password and key password stored
Error while Importing public certificate to a keystore
PFX to JKS keytool conversion: Alias <*> does not exist
How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
Android Development: Keytool, creating a keystore?
Getting Certificates from Java Keystore
SSL connection issue with s_client
How to add a certificate chain to a JKS
generate key and certificate using keytool
Keytool create a trusted self signed certificate