Chapter 5. CERTivity®'s KeyStore

Table of Contents

KeyStores Capabilities
KeyStore Interface Organization
Create a New KeyStore
Open an Existing KeyStore
Open JREs CA KeyStores
KeyStore Persistence (Reloading opened KeyStores)
Open Microsoft Windows KeyStores
Open Windows Root KeyStore
Open Windows User KeyStore
Change KeyStore Password
View/Convert KeyStore Type
View Certificate Details
View Public Key Details
View Certificate Extensions Details
View Certificate Extensions ASN.1 Representation
View Certificate Chain Details
View Private Key Details
Generate Key Pair
Manage Certificate Extensions
Generate Secret Key
Import Trusted Certificate
Certificate Trust Established by User
Import Key Pair
SSL Certificates Retriever
Extend Validity
Regenerate Key Pair
Generate CSR File
Import CA Reply
Select CA Issuer
Sign Certificate by <aliasForIssuer>
Export Key Pair
Export Certificate Chain
Export Certificate
Export Public Key
Export Private Key
Rename a KeyStore Entry
Delete KeyStore Entry
Copy KeyStore Entry
Cut KeyStore Entry
Paste KeyStore Entry

KeyStores Capabilities

A KeyStore is a protected database of cryptographic keys - private, public, secret. Private keys in a KeyStore have a certificate chain associated with them, which authenticates the corresponding public key - together they form a Key Pair entry - you cannot have just a private key by its own. On the other hand a KeyStore can contain just the certificates from trusted entities.

A Certificate embeds a public key belonging to an entity. It certifies the public key and all the information via digitally signature of another entity (the issuer, e.g. - a person, company, etc.), saying that the embedded public key (and some other information) belongs to the declared entity (the subject) and has some specific value. That is why it is also called a Public Key Certificate. The certificate is usually signed by a trusted Certification Authority (CA) or it can be self signed.

CERTivity can handle X.509 certificates types, both version 1 and 3.

Besides Key Pair and Certificate entries (asymmetric keys) some types of KeyStores can store Secret Keys (symmetric keys) as well.

Hence a KeyStore is a protected collection of Key Pair, Certificate and Secret Keys entries and each such entry is addressable via an unique alias or entry name. KeyStores are stored according to their standards and they are protected by a general password while the Private Keys and Secret Keys are protected by different individual passwords.

CERTivity asks for these passwords when operations are requiring access to the keys. Once a Private key or Secret Key is unlocked it will stay unlocked while the KeyStore is loaded.

CERTivity can manage the following KeyStore types - their main capabilities according to their standard are described below.

Table 5.1. KeyStores capabilities

Keystore typeKeystore password protectionSupports Secret KeyAliases Case SensitiveProvider
jks - Java KeyStore (Oracle's KeyStore format)YesNoNo - use lower caseDefault JCE
pkcs12 - Public-Key Cryptography Standards #12 KeyStore (RSA's Personal Information Exchange Syntax Standard)Yes (for password that is greater than 7 characters, you may need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files)NoHalf - Case awareBouncy Castle
jceks - Java Cryptography Extension KeyStore (More secure version of JKS)YesYesNo - use lower caseDefault JCE
bks/bks-v1 - Bouncy Castle KeyStore (Bouncy Castle's version of JKS);Yes. Note the empty string ("") universal password. If the KeyStore is unlocked using the universal password, and if the password is not changed until saving the KeyStore, the empty string will be set as the KeyStore password when saving.YesYesBouncy Castle
uber - Bouncy Castle UBER KeyStore (More secure version of BKS)YesYesYesBouncy Castle
Windows Root CAYesNoYesDefault JCE (on Oracle - SunMSCAPI )
Windows UserYesYesYesDefault JCE (on Oracle - SunMSCAPI )

Please note that PKCS12 KeyStores have no password protection for their key pair entries.

"Case aware" means that an alias can be defined both with low case and upper case, will be saved as this, but there cannot be two aliases which differ just by the case of their letters.

Working with Windows Root CA KeyStore and Windows User KeyStore are available only on Windows platform and additional confirmation and warning panels will be displayed by the Windows system when installing, deleting, renaming a KeyStore entry. Hence, the second confirmation dialogs are not under the control of CERTivity application.

The BKS/BKS-V1 type of KeyStore allows for being accessed both with the KeyStore password, as well as with the empty string password - this is not under the control of the CERTivity application .


You can use KeyStore examples provided in the distribution kit in the folder doc/samples/keystore, to test the KeyStore features.