comparison src/linux/doc/man/keytool.1 @ 7317:bfae8dda86b1

Added tag jdk7u65-b06 for changeset 7d8e5d907895
author katleman
date Tue, 01 Apr 2014 12:01:47 -0700
parents 23bdcede4e39
children
comparison
equal deleted inserted replaced
5:0a21334cf7b6 6:42a9c65ad32e
1 ." Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. 1 ." Copyright (c) 1998-2011 keytool tool, Oracle and/or its affiliates. All rights reserved.
2 ." DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 2 ." DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
3 ." 3 ."
4 ." This code is free software; you can redistribute it and/or modify it 4 ." This code is free software; you can redistribute it and/or modify it
5 ." under the terms of the GNU General Public License version 2 only, as 5 ." under the terms of the GNU General Public License version 2 only, as
6 ." published by the Free Software Foundation. 6 ." published by the Free Software Foundation.
17 ." 17 ."
18 ." Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 18 ." Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
19 ." or visit www.oracle.com if you need additional information or have any 19 ." or visit www.oracle.com if you need additional information or have any
20 ." questions. 20 ." questions.
21 ." 21 ."
22 .TH keytool 1 "10 May 2011" 22 .TH keytool 1 "16 Mar 2012"
23 23
24 .LP 24 .LP
25 .SH "Name" 25 .SH "Name"
26 keytool \- Key and Certificate Management Tool 26 keytool \- Key and Certificate Management Tool
27 .LP 27 .LP
200 .LP 200 .LP
201 Please consult the 201 Please consult the
202 .na 202 .na
203 \f2Java Cryptography Architecture API Specification & Reference\fP @ 203 \f2Java Cryptography Architecture API Specification & Reference\fP @
204 .fi 204 .fi
205 http://download.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA for a full list of \f2\-keyalg\fP and \f2\-sigalg\fP you can choose from. 205 http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA for a full list of \f2\-keyalg\fP and \f2\-sigalg\fP you can choose from.
206 .LP 206 .LP
207 .SS 207 .SS
208 Common Options 208 Common Options
209 .LP 209 .LP
210 .LP 210 .LP
276 .LP 276 .LP
277 .LP 277 .LP
278 Currently keytool supports these named extensions (case\-insensitive): 278 Currently keytool supports these named extensions (case\-insensitive):
279 .LP 279 .LP
280 .LP 280 .LP
281 .TS
281 .if \n+(b.=1 .nr d. \n(.c-\n(c.-1 282 .if \n+(b.=1 .nr d. \n(.c-\n(c.-1
282 .de 35 283 .de 35
283 .ps \n(.s 284 .ps \n(.s
284 .vs \n(.vu 285 .vs \n(.vu
285 .in \n(.iu 286 .in \n(.iu
676 .rm f+ 677 .rm f+
677 .rm g+ 678 .rm g+
678 .rm h+ 679 .rm h+
679 .rm i+ 680 .rm i+
680 .rm j+ 681 .rm j+
682 .TE
681 .if \n-(b.=0 .nr c. \n(.c-\n(d.-38 683 .if \n-(b.=0 .nr c. \n(.c-\n(d.-38
682 684
683 .LP 685 .LP
684 .LP 686 .LP
685 For name as OID, value is the HEX dumped DER encoding of the extnValue for the extension excluding the OCTET STRING type and length bytes. Any extra character other than standard HEX numbers (0\-9, a\-f, A\-F) are ignored in the HEX string. Therefore, both \f2"01:02:03:04"\fP and \f2"01020304"\fP are accepted as identical values. If there's no value, the extension has an empty value field then. 687 For name as OID, value is the HEX dumped DER encoding of the extnValue for the extension excluding the OCTET STRING type and length bytes. Any extra character other than standard HEX numbers (0\-9, a\-f, A\-F) are ignored in the HEX string. Therefore, both \f2"01:02:03:04"\fP and \f2"01020304"\fP are accepted as identical values. If there is no value, the extension has an empty value field then.
686 .LP 688 .LP
687 .LP 689 .LP
688 A special name \f2'honored'\fP, used in \f2\-gencert\fP only, denotes how the extensions included in the certificate request should be honored. The value for this name is a comma separated list of \f2"all"\fP (all requested extensions are honored), \f2"name{:[critical|non\-critical]}"\fP (the named extension is honored, but using a different isCritical attribute) and \f2"\-name"\fP (used with all, denotes an exception). Requested extensions are not honored by default. 690 A special name \f2'honored'\fP, used in \f2\-gencert\fP only, denotes how the extensions included in the certificate request should be honored. The value for this name is a comma separated list of \f2"all"\fP (all requested extensions are honored), \f2"name{:[critical|non\-critical]}"\fP (the named extension is honored, but using a different isCritical attribute) and \f2"\-name"\fP (used with all, denotes an exception). Requested extensions are not honored by default.
689 .LP 691 .LP
690 .LP 692 .LP
927 .LP 929 .LP
928 If the SSL server is behind a firewall, \f2\-J\-Dhttps.proxyHost=proxyhost\fP and \f2\-J\-Dhttps.proxyPort=proxyport\fP can be specified on the command line for proxy tunneling. See the 930 If the SSL server is behind a firewall, \f2\-J\-Dhttps.proxyHost=proxyhost\fP and \f2\-J\-Dhttps.proxyPort=proxyport\fP can be specified on the command line for proxy tunneling. See the
929 .na 931 .na
930 \f2JSSE Reference Guide\fP @ 932 \f2JSSE Reference Guide\fP @
931 .fi 933 .fi
932 http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html for more information. 934 http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html for more information.
933 .LP 935 .LP
934 \f3Note\fP: This option can be used independently of a keystore. 936 \f3Note\fP: This option can be used independently of a keystore.
935 .TP 3 937 .TP 3
936 \-printcrl \-file crl_ {\-v} 938 \-printcrl \-file crl_ {\-v}
937 .LP 939 .LP
1104 .LP 1106 .LP
1105 .SS 1107 .SS
1106 Importing the Certificate Reply from the CA 1108 Importing the Certificate Reply from the CA
1107 .LP 1109 .LP
1108 .LP 1110 .LP
1109 Once you've imported a certificate authenticating the public key of the CA you submitted your certificate signing request to (or there's already such a certificate in the "cacerts" file), you can import the certificate reply and thereby replace your self\-signed certificate with a certificate chain. This chain is the one returned by the CA in response to your request (if the CA reply is a chain), or one constructed (if the CA reply is a single certificate) using the certificate reply and trusted certificates that are already available in the keystore where you import the reply or in the "cacerts" keystore file. 1111 Once you've imported a certificate authenticating the public key of the CA you submitted your certificate signing request to (or there is already such a certificate in the "cacerts" file), you can import the certificate reply and thereby replace your self\-signed certificate with a certificate chain. This chain is the one returned by the CA in response to your request (if the CA reply is a chain), or one constructed (if the CA reply is a single certificate) using the certificate reply and trusted certificates that are already available in the keystore where you import the reply or in the "cacerts" keystore file.
1110 .LP 1112 .LP
1111 .LP 1113 .LP
1112 For example, suppose you sent your certificate signing request to VeriSign. You can then import the reply via the following, which assumes the returned certificate is named "VSMarkJ.cer": 1114 For example, suppose you sent your certificate signing request to VeriSign. You can then import the reply via the following, which assumes the returned certificate is named "VSMarkJ.cer":
1113 .LP 1115 .LP
1114 .nf 1116 .nf
1287 .LP 1289 .LP
1288 Keystore implementations are provider\-based. More specifically, the application interfaces supplied by \f2KeyStore\fP are implemented in terms of a "Service Provider Interface" (SPI). That is, there is a corresponding abstract \f2KeystoreSpi\fP class, also in the \f2java.security\fP package, which defines the Service Provider Interface methods that "providers" must implement. (The term "provider" refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.) Thus, to provide a keystore implementation, clients must implement a "provider" and supply a KeystoreSpi subclass implementation, as described in 1290 Keystore implementations are provider\-based. More specifically, the application interfaces supplied by \f2KeyStore\fP are implemented in terms of a "Service Provider Interface" (SPI). That is, there is a corresponding abstract \f2KeystoreSpi\fP class, also in the \f2java.security\fP package, which defines the Service Provider Interface methods that "providers" must implement. (The term "provider" refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.) Thus, to provide a keystore implementation, clients must implement a "provider" and supply a KeystoreSpi subclass implementation, as described in
1289 .na 1291 .na
1290 \f2How to Implement a Provider for the Java Cryptography Architecture\fP @ 1292 \f2How to Implement a Provider for the Java Cryptography Architecture\fP @
1291 .fi 1293 .fi
1292 http://download.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html. 1294 http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html.
1293 .LP 1295 .LP
1294 Applications can choose different \f2types\fP of keystore implementations from different providers, using the "getInstance" factory method supplied in the \f2KeyStore\fP class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private/secret keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible. 1296 Applications can choose different \f2types\fP of keystore implementations from different providers, using the "getInstance" factory method supplied in the \f2KeyStore\fP class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private/secret keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible.
1295 .LP 1297 .LP
1296 \f3keytool\fP works on any file\-based keystore implementation. (It treats the keystore location that is passed to it at the command line as a filename and converts it to a FileInputStream, from which it loads the keystore information.) The \f3jarsigner\fP and \f3policytool\fP tools, on the other hand, can read a keystore from any location that can be specified using a URL. 1298 \f3keytool\fP works on any file\-based keystore implementation. (It treats the keystore location that is passed to it at the command line as a filename and converts it to a FileInputStream, from which it loads the keystore information.) The \f3jarsigner\fP and \f3policytool\fP tools, on the other hand, can read a keystore from any location that can be specified using a URL.
1297 .LP 1299 .LP
1700 o 1702 o
1701 the 1703 the
1702 .na 1704 .na
1703 \f4Security\fP @ 1705 \f4Security\fP @
1704 .fi 1706 .fi
1705 http://download.oracle.com/javase/tutorial/security/index.html trail of the 1707 http://docs.oracle.com/javase/tutorial/security/index.html trail of the
1706 .na 1708 .na
1707 \f4Java Tutorial\fP @ 1709 \f4Java Tutorial\fP @
1708 .fi 1710 .fi
1709 http://download.oracle.com/javase/tutorial/ for examples of the use of \f3keytool\fP 1711 http://docs.oracle.com/javase/tutorial/ for examples of the use of \f3keytool\fP
1710 .RE 1712 .RE
1711 1713
1712 .LP 1714 .LP
1713 .SH "CHANGES" 1715 .SH "CHANGES"
1714 .LP 1716 .LP