Bootstrap FreeKB - Java - trustedCertEntry vs PrivateKeyEntry
Java - trustedCertEntry vs PrivateKeyEntry
Updated:   |  Java articles

When importing a certificate or private key into a keystore, such as keystore.jks or keystore.p12, or into a truststore, such as trust.p12, the certificate or private key will be listed as a trustedCertEntry or PrivateKeyEntry.

Key stores are meant to contain public certificates and private keys that a server will use for SSL. Key stores are meant to only contain PrivateKeyEntry.

Trust stores are meant to contain public certificates, not private keys, that a client will use to establish trust with a server. Trust stores are meant to only contain trustedCertEntry.

Let's say you create a file named example.com.crt using OpenSSL and example.com.crt contains a single public certificate.

~]$ cat example.com.crt
-----BEGIN CERTIFICATE-----
MIIDPDCCAiQCCQCqNSolx2t5ATANBgkqhkiG9w0BAQ0FADBgMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ8wDQYDVQQKDAZGcmVl
S0IxDzANBgNVBAsMBkZyZWVLQjEPMA0GA1UEAwwGRnJlZUtCMB4XDTIxMDcwOTA3
-----END CERTIFICATE-----

 

And you import example.com.cer into keystore.p12.

keytool -import -file example.com.cer -alias example.com.cer -keystore keystore.p12 -storetype pkcs12 -storepass itsasecret

 

Now when you list the contents of keystore.p12.

keytool -list -keystore keystore.p12 -storetype pkcs12 -storepass itsasecret

 

The example.com certificate will be listed as a trustedCertEntry.

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

example.com.cer, Jul 9, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE

 

PEM file

Let's say you create a PEM file that contains both example.com.cer (the public certificate) and example.com.key (the private key).

cat example.com.cer example.com.key > example.com.pem

 

Viewing example.com.pem will show that the PEM file contains both the public certificate and private key.

-----BEGIN CERTIFICATE-----
MIIDPDCCAiQCCQCqNSolx2t5ATANBgkqhkiG9w0BAQ0FADBgMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ8wDQYDVQQKDAZGcmVl
S0IxDzANBgNVBAsMBkZyZWVLQjEPMA0GA1UEAwwGRnJlZUtCMB4XDTIxMDcwOTA3
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAt/idF8d5M0vePuTPh5BR8Njhup16luUpAx4W0qCc2doEK/QX
ewTjiALfs+iFN5dASIl2klcSkEhP78lMwlugi9R5fsbw0hrGET916h1lX7YD5xS6
prgsRDpyW2BqIEhnRuFyfGPRf2ztJU1rZCEfLrxxLwem+IxCCd5en7FwBScI1Z66
-----END RSA PRIVATE KEY-----

 

Let's import example.com.pem into keystore.p12.

keytool -import -file example.com.pem -alias example.com.pem -keystore keystore.p12 -storetype pkcs12 -storepass itsasecret

 

You should get the following warning.

Certificate already exists in keystore under alias <example.com>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

 

If you go ahead and import it, and then list the contents of the keystore, there should now be two example.com certificates, both listed as trustedCertEntry with the same exact fingerprint. This shows that even when a PEM file contains a private key, the keystore will list it as a trustedCertEntry.

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 2 entries

example.com.cer, Jul 9, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE
example.com.pem, Jul 9, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE

 

PKCS12 file

Let's say you create a PKCS12 file that contains both example.com.cer (the public certificate) and example.com.key (the private key).

openssl pkcs12 -export -in example.com.crt -inkey example.com.key -out example.com.p12 -name example.com.p12

 

And you import example.com.p12 into keystore.p12.

keytool 
-importkeystore
-srckeystore example.com.p12
-srcstoretype pkcs12
-srcalias example.com.p12
-srcstorepass itsasecret
-destkeystore keystore.p12
-deststoretype pkcs12
-deststorepass itsasecret
-destalias example.com.p12

 

Now the keystore contains three entries, all with the same example certificate fingerprint. However notice example.com.p12 is a privateKeyEntry.

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

example.com.cer, Jul 9, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE
example.com.pem, Jul 9, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE
example.com.p12, Jul 9, 2021, privateKeyEntry,
Certificate fingerprint (SHA-256): DA:2A:D0:A6:7C:BB:B4:78:B7:8E:67:6B:2D:3C:13:59:52:33:85:56:AD:14:B5:C9:06:3E:4F:49:97:91:BE:EE

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter e873f7 in the box below so that we can be sure you are a human.