Difference between Entry Type "keyEntry" and "trustedCertEntry" in a keystore

bluefoggy picture bluefoggy · Feb 16, 2015 · Viewed 28.4k times · Source

I don't have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.

Case 1(Works):

I have a CA signed certificate and i would like to use it in my Web Application. I first created a keystore. I see that it creates an entry type "keyEntry" in the keystore. Then i import the CA signed certificate to the keystore created.

Here are the steps:

keytool -genkeypair  -keystore keystore.jks

I see an entry in the keystore of type "keyEntry" of alias "mykey"

Now i import the certificate:

keytool -importcert -alias abc -file cert.crt -keystore keystore.jks

Now i see another entry of trype "trustedcertEntry".

With this keystore i am able to access my web application when i uploaded it.

Case 2 (doesn't work):

I create a keystore on the fly while importing the certificate.

keytool -importcert  -alias abc -file cert.crt -keystore keystore2.jks

Here i see only one entry type which is "trustedcertEntry"

With this keystore i am not able to access my web application.

Question:

What is key entry type "keyEntry" and "trustedcertEntry" and why does my keystore works only when i have the entry type "keyEntry"

Answer

duct_tape_coder picture duct_tape_coder · Feb 1, 2016

My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.

In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.

I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.

A keyEntry (I think!) is a public/private key pair without the certificate.

A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.