How to Check Certificate Name and Alias in Keystore Files

How to check certificate name and alias in keystore files?

You can run the following command to list the content of your keystore file (and alias name):

keytool -v -list -keystore .keystore

If you are looking for a specific alias, you can also specify it in the command:

keytool -list -keystore .keystore -alias foo

If the alias is not found, it will display an exception:

keytool error: java.lang.Exception: Alias does not exist

Understanding keystore, certificates and alias

The keystore file generated by Keytool stores pairs of private and public keys. Each pair or entry stored in the keystore is refered by a unique alias. In brief:

Keystore entry = private + public key
pair = identified by an alias

The keystore protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.

For instance, when you sign an Android application using the Export Signed Application Package option of the Eclipse Android tool, you are asked to select a keystore first, and then asked to select a single alias/entry/pair from that keystore. After providing the passwords for both the keystore and the chosen alias, the app is signed and the public key (the certificate) for that alias is embedded into the APK.

Now to answer your question, you can only release an update to an application that was signed with the alias 'foo' by signing the update again with the same alias. Losing the keystore where your alias is stored would prevent you from releasing an updated version of your app.

There is however a way to sign an app with a new alias, but it involves cloning an existing alias in the keystore using keytool -keyclone:

Creates a new keystore entry, which
has the same private key and
certificate chain as the original
entry.

The original entry is identified by
alias (which defaults to "mykey" if
not provided). The new (destination)
entry is identified by dest_alias. If
no destination alias is supplied at
the command line, the user is prompted
for it.

If the private key password is
different from the keystore password,
then the entry will only be cloned if
a valid keypass is supplied. This is
the password used to protect the
private key associated with alias. If
no key password is supplied at the
command line, and the private key
password is different from the
keystore password, the user is
prompted for it. The private key in
the cloned entry may be protected with
a different password, if desired. If
no -new option is supplied at the
command line, the user is prompted for
the new entry's password (and may
choose to let it be the same as for
the cloned entry's private key).

More information:

http://download.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html

http://developer.android.com/guide/publishing/app-signing.html

How do I know which alias contains the certificate and private key in a Java keystore?

The alias used for Certificate does not have to correspond to the Private Key. So, you would have to take your chances.

Edit:

I haven't really tried this out. But it really shouldn't matter because a Certificate depends on the Public-Private Key. Password given in the keystore are just a way to secure them and giving it to only a trusted user. So, I would suggest you to generate the certificate and compare them with the other one's using the getEncoded method. This would give you the binaries and you could compare them.



Related Topics



Leave a reply



Submit