Have you ever tried to communicate with somebody/something through any kind of technology? Most of the time “those” people/systems like privacy, in a way that they like their communication with everybody including you to be private. Hence once you want to communicate with them they give you something called a “public key” ( or “public-key certificate” ) and ask you to give them yours. Usually when you talk to different sources, nobody would guide you through on how to create that “public key” of yours, “they” would just want it, but you would be left alone to figure out how you should generate it.
Hence this little guide will show you one of many ways on how to generate a pair of X.509 public/private keys, and how to access this magic pair to get that “public key”, so it can be given to anyone who needs it.
First, let us throw a couple of sentences on how these keys are used. It is actually very simple – there is “YOU” and “THEY”:
- YOU: generate a pair of public/private keys (where whatever is encrypted with your public key can only be decrypted with your private key)
- YOU: hide your private key from everybody
- YOU: give your public key to anybody who wants to communicate with you
- THEY: generate a pair of public/private keys
- THEY: hide their private key from everybody including YOU
- THEY: give their public key to anybody who wants to communicate with them
Now when YOU and THEY have each others public keys and their own private keys communication may begin:
- YOU: write your secret message, encrypt it with THEIR public key and send to them
- THEY: receive your top secret message and using THEIR private key decrypt it
- THEY: write you an answer, encrypt it with YOUR public key, and send to you
- YOU: receive their top secret response and using YOUR private key decrypt it
Told you it is very simple!
Now let’s see how to do the magic – how to generate a pair of YOUR public and private keys.
There are number of ways – tools/libraries/code snippets/etc.. I would show you one of the simplest ways how this can be archived using a tool called… any guess? Yes – a “keytool” – make sense, right?
“keytool” is a java tool that has a great manual, and since its java – it’ll work on any OS that has JVM. In order to get/download a keytool, you just have to install Java (JRE) on your system (95% that you already have it installed, hence you can go ahead and use “keytool” without needing to install/download anything else).
Examples here are run on Linux (Ubuntu), but as long as you have Java installed, it does not really matter what OS you have to get the job done.
So, fire up the terminal (Windows’ “cmd”) and let’s generate a pair of public/private keys now:
$ keytool -genkey -alias otherguy -keypass p@ssw0rd -keystore our.keystore Enter key store password: ksp@ssw0rd You are about to enter information that will be incorporated into your certificate request. This information is what is called a Distinguished Name or DN. There are quite a few fields but you can use supplied default values, displayed between brackets, by just hitting <Enter>, or blank the field by entering the <.> character before hitting <Enter>. Common Name (hostname, IP, or your name): myname Organization Name (company) [The Sample Company]: my company Organizational Unit Name (department, division): department of departments Locality Name (city, district) [Sydney]: gorodok State or Province Name (full name) [NSW]: state of new noisy Country Name (2 letter code) [AU]: zz |
As you might figured already, a keystore is a small database, that we just created, that would hold all the keys (private/public) for many systems – right now we only have one pair, but later we can add more keys to the keystore. So let’s look at this keystore that we just generated:
$ ls -l total 4 -rw-r--r-- 1 user group 1641 2008-04-22 20:46 our.keystore |
But now you need to be able to access this “database” to get a public key, so you can share it with others. It is done by exporting this public key – again, very simple:
$ keytool -export -rfc -alias otherguy -file us-to-otherguy.cer -keystore our.keystore Enter key store password: ksp@ssw0rd |
let’s see what files we have now:
$ ls -l total 8 -rw-r--r-- 1 user group 1641 2008-04-22 20:46 our.keystore -rw-r--r-- 1 user group 1189 2008-04-22 20:48 us-to-otherguy.cer |
And here it is (!) your public key certificate – “us-to-otherguy.cer”. Let’s see what’s inside:
$ cat us-to-otherguy.cer -----BEGIN CERTIFICATE----- MIIDQjCCAwGgAwIBAAIBATAJBgcqhkjOOAQDMIGGMQ8wDQYDVQQDDAZteW5hbWUxEzARBgNVBAoM Cm15IGNvbXBhbnkxIjAgBgNVBAsMGWRlcGFydG1lbnQgb2YgZGVwYXJ0bWVudHMxEDAOBgNVBAcM B2dvcm9kb2sxGzAZBgNVBAgMEnN0YXRlIG9mIG5ldyBub2lzeTELMAkGA1UEBgwCenowHhcNMDgw NDIzMDA0NjM4WhcNMDgwNzIyMDA0NjM4WjCBhjEPMA0GA1UEAwwGbXluYW1lMRMwEQYDVQQKDApt eSBjb21wYW55MSIwIAYDVQQLDBlkZXBhcnRtZW50IG9mIGRlcGFydG1lbnRzMRAwDgYDVQQHDAdn b3JvZG9rMRswGQYDVQQIDBJzdGF0ZSBvZiBuZXcgbm9pc3kxCzAJBgNVBAYMAnp6MIIBuDCCASwG ByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2N WPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P2 08UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA 9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3 zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL Zl6Ae1UlZAFMO/7PSSoDgYUAAoGBAPDA5E5GVGzMBw3IWldpyGBs8Dwr7ArYdNRIPH7veELcENhO 7jNdBinJ/JUCcY0XoIhNVXVNkyABpGsBISfGPwgv1meyLcs0DK6ndEDBYGH0Cwoahhtb7EBhcqWQ kqojyVtPRdNTPd8cyPDjbOOapv65+8Xe0FQoCtJXWiwF8Z17MAkGByqGSM44BAMDMAAwLQIVAJHL 9Syzc8LIEp6uNjVI+f/ox4dhAhQOug96d7B5V/rGytlAJiml9f8Qqg== -----END CERTIFICATE----- |
that is exactly what you send to everybody else to encrypt their secret messages!
The last thing that I want to show you is how to see what’s inside the keytore database:
$ keytool -list -v -keystore our.keystore Enter key store password: ksp@ssw0rd Key store type: gkr Key store provider: GNU-CRYPTO Key store contains 1 entry(ies) Alias name: otherguy Creation timestamp: Tuesday April 22, 2008 AD - 8:46:38;616 o`clock PM EDT Entry type: key-entry Certificate chain length: 1 Certificate[1]: Owner: CN=myname,O=my company,OU=department of departments,L=gorodok,ST=state of new noisy,C=zz Issuer: CN=myname,O=my company,OU=department of departments,L=gorodok,ST=state of new noisy,C=zz Serial number: 1 Valid from: Wednesday April 23, 2008 AD - 1:46:59;989 o`clock AM EDT until: Tuesday July 22, 2008 AD - 1:46:59;990 o`clock AM EDT Certificate fingerprints MD5: BB:35:C0:6B:D0:B2:67:26:BF:AB:AD:5A:87:51:AA:32 SHA-160: 19:67:F9:8B:DF:52:24:4A:61:4D:76:1C:79:2E:4B:5B:8E:A8:AA:E1 ******************************************* |
Here you can see that a public certificate that we exported is ” Valid from: Wednesday April 23, 2008 until: Tuesday July 22, 2008″, hence 90 days. That means it will need to be changed in 90 days, which would also, of course mean you would have to issue a new certificate to all your contacts in 90 days. In order to change this time frame, when generating a keystore, just add a “-validity <number of days>”when generating keys:
$ keytool -genkey -alias otherguy -keypass p@ssw0rd -keystore our.keystore -validity 3600 |
that would create a pair valid for 3600 days from the current date.
What if somebody wants to share secret with you? Well, now you are ready! :)