-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathLearn_Keytool_Part_4.txt
More file actions
82 lines (40 loc) · 5.11 KB
/
Learn_Keytool_Part_4.txt
File metadata and controls
82 lines (40 loc) · 5.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Generating Certificates using Keytool
----------------------------------------
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -keystore myStore.p12 -storetype PKCS12 -validity 730 -sigalg sha256WithRSA -dname "CN=Testing" -storepass env:KPWD
keytool -list -keystore myStore.p12 -storetype pkcs12 -storepass env:KPWD -v
Setting KeyUsage
-------------------
Critical KeyUsage
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing" -ext KU:C="digitalSignature"
Multiple KeyUsage
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing" -ext KU:C="digitalSignature,dataEncipherment"
Setting Non-Critical KeyUsage
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing" -ext KU="digitalSignature,dataEncipherment"
Using short forms for Key Usage
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing" -ext KU="dS,dataE"
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="dS,crlS,encipherO,decipherO,kA,keyCertS,nR"
Setting Extended KeyUsage
--------------------------
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="dS,nR" -ext EKU:C="codeSigning"
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="digitalSignature,keyCertSign,crlSign," -ext EKU="serverAuth,clientAuth"
Setting Basic Constraints
---------------------------
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="digitalSignature,keyCertSign,crlSign," -ext EKU="serverAuth,clientAuth" -ext BC="ca:true,pathlen:0"
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="dS,nR" -ext EKU:C="codeSigning" -ext BC="ca:false,pathlen:0"
Setting Subject Alternate Names
---------------------------------
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext SAN="DNS:cyberhashira.com"
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext SAN="DNS:cyberhashira.com,IP:127.0.0.1"
keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext SAN="DNS:cyberhashira.com,IP:127.0.0.1,EMAIL:web-admin@cyberhashira.com"
Setting CDP
------------
Single CDP
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext crl="uri:http://127.0.0.1/test.crl"
Multiple CDP
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext crl="uri:http://127.0.0.1/test.crl,uri:ftp://127.0.0.1/test.crl,uri:ldap://127.0.0.1/test.crl"
Setting Authority Information Access
--------------------------------------
Setting issuer cert path
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext AIA="caIssuers:uri:http://cyberhashira.com/issuer.cer"
Setting OCSP path
> keytool -genkey -alias testSigningKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype PKCS12 -storepass env:KPWD -dname "CN=Testing,O=Acme Inc.,OU=PKI" -ext KU:critical="dS,nR" -ext EKU:C="codeSigning" -ext BC="ca:false,pathlen:0" -ext SAN="DNS:cyberhashira.com,IP:127.0.0.1,EMAIL:web-admin@cyberhashira.com" -ext crl="uri:http://127.0.0.1/test.crl,uri:ftp://127.0.0.1/test.crl,uri:ldap://127.0.0.1/test.crl" -ext AIA="caIssuers:uri:http://cyberhashira.com/issuer.cer,ocsp:uri:http://ocsp.cyberhashira.com"