Generate Hash Key From Keystore

Posted on by
Generate Hash Key From Keystore Average ratng: 4,6/5 151 votes

Generate a .jks keystore using .key and .crt files

How to generate a Certificate Signing Request (CSR) via Java Keystore A CSR is encoded text that contains information about the certificate requester. This information includes, but is not limited to, the publisher name for the certificate (referred to as a “Common Name”), organization name (if applicable), and a contact email for the.

Generate a .jks keystore using .key and .crt files :

Notes :

  1. Aug 14, 2016  Generate Keystores To generate keystores for signing Android apps at the command line, use: $ keytool -genkey -v -keystore my-key.keystore -alias aliasname -keyalg RSA -keysize 2048 -validity 10000 A debug keystore which is used to sign an Android app during development needs a specific alias and password combination as dictated by Google.
  2. Nov 23, 2018 That’s it from my side for this kinda guide to let you know about the various ways to generate SHA-1 Key, Key Hash, and where to locate your Android debug.keystore file.
  3. Apr 11, 2015  To generate an API key you require, SHA1 fingerprint of your keystore. Keystore is basically a place where the private keys for your app are kept. In simple words its a certificate generated by user or a program, used for signing an Android app. In android there are two types of keystores.
  4. Feb 12, 2017  Using the Android Keystore system to store and retrieve sensitive information. As the properties for the keys we are going to generate. For example, let's say we wanted the key.
  5. Sep 21, 2015  Generate SHA1 fingerprint of release keystore using keytool http://android-er.blogspot.com/2015/09/generate-sha1-fingerprint-of-release.html.

x509 standard assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates.

Structure of a certificate :

The structure of an X.509 v3 digital certificate is as follows:

.
Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)

Certificate Signature Algorithm
Certificate Signature

Generate Hash Key From Keystore

Issuer and subject unique identifiers were introduced in Version 2, Extensions in Version 3. Nevertheless, the Serial number must be unique for each certificate issued by a specific CA

Certificate filename extensions :

Common filename extensions for X.509 certificates are:

Hash Key On Keyboard

.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”

.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)

.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)

.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)

/ssh-rsa-public-key-generate.html. .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.
PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.

Steps :

Tools like in F5 load balancers generate .crt and .key files ( they basically use openssl ).

Here .crt is the signed certificate from a CA and key contains the private key.

These keys and certificates are in PEM format.

– Open both the files in a notepad and copy the contents in it to a new notepad file and save it with extension .pem

– Now we need to convert this .pem to .des

Note : DES is a binary format and non readable whereas PEM are in human readable form.
Note : Make sure OpenSSL is installed ( You can download it from : http://www.slproweb.com/products/Win32OpenSSL.html )

– You can use the following command to convert PEM to DER format. Generate a private key from a certificate.

Command : openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER ( this command will convert the key file (PEM format) containing private key to DER format )

Command : openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER ( This command converts the signed certificate (PEM format) to DER format ).

– Now we need to add the signed certificate and the private key into the keystore.

Keytool does not let you import an existing private key for which you already have a certificate.

– Download and compile the java code from the link below :

Link : http://www.agentbob.info/agentbob/80.html ( ImportKey.java )

Command : javac ImportKey.java

The above code will add the private key and the certificate into a .jks keystore.

Default name of the keystore that will be created : keystore.ImportKey ( you can edit the code and change it to identity.jks )

Default password/passphrase for the private key : importkey ( you can edit the code to make changes in it accordingly )

Default alias name given to this key would be : importkey

Once you have the .class file run the command below to generate the keystore ( i.e identity.jks ) :

Command : Â java ImportKey key.der cert.der ( Note the first argument is the key file and the second is the cerificate (both in DER format) )

Note : The keystore is not created in the same directory. You can find it in the root folder ( Eg : C:Documents and SettingsCoolDragon… )

– Now import your rootca.crt file into this keystore to complete the chaining of certificates

Command : keytool -import -file rootca.crt -alias -trustcacerts -keystore keystore.ImportKey -storepass importkey

– Now list the certificates of the keystore to check if the chaining is fine :

Generate Keystore File

Command : keytool -v -list -keystore keystore.ImportKey -storepass importkey

Identity.jks file is now ready 🙂

Introduction

This article covers the creation of a new Java keystore using Java keytool.


Process


You can watch the video below for a tutorial.


Or, you can check the step by step guidelines below.
1. Create a new keystore:
Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.
keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048
2. Generate a CSR based on the new keystore:
keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr
Answer each question when prompted. Use the chart below to guide you through the process:

FieldExample
First & Last NameDomain Name for SSL Certificates
Entity Name for Code Signing
Organizational Unit Support (Optional, e.g. a department)
OrganizationGMO GlobalSign Inc (Entity's Legal Name)
City / LocalityPortsmouth (Full City name)
State / ProvinceNew Hampshire (Full State Name)
Country CodeUS (2 Letter Code)


Confirm or reject the details by typing 'Yes' or 'No' and pressing Enter
Press Enter to use the same password as the keystore, alternatively specify a separate password and press enter.
You should now have a file called mydomain.csr which can be used to order or reissue a digital certificate from GlobalSign.
3. While the order processes, download the root & intermediate certificates for your order. You can identify the correct root & intermediate certificate based on hash algorithm and product type.
4. Import the root & intermediate certificates into your keystore. Import the root certificate first, followed by the intermediate. Make sure you specify the correct alias of 'root' and 'intermediate' respectively.
keytool -import -trustcacerts -alias root -file root.crt -keystore KeyStore.jks
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks
5. Download & import your new certificate
Download your new certificate; save it as mydomain.crt.
Use the same alias as the private key so it associates them together. The alias here must match the alias of the private key in the first command.
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks
The keystore is now complete and can be used for signing code or deploying on a Java based web server depending on the product you ordered.