25

I was wondering about differences between using OpenSSl or Keytool and generating certificates by them. I think Keytool is used by Java community but for someone who is not remotely connected to Java uses OpenSSL for generating stuff. I mean public key, private key and certificates.

I assume with using OpenSSL you have to generate keys and certificates individually but keytool can generate a keystore that will give you a sort of briefcase that can contain keys+certificates.

Question is: is what I think correct or not?

If it matters, I use windows. And I am referring to: How do I use OpenSSL with the Java Keytool?

Improve this question

3 Answers 3

Reset to default
39

In short, they're both crypto key generation tools, but keytool has the additional feature of manipulating Java's preferred key storage file format, the KeyStore.

Java strongly prefers to work with keys and certificates that are stored in a KeyStore (also called a TrustStore when it's only got certificates in it). It is possible, but not trivial, to get Java to work with straightforward PEM/CER/CRT/PKCS/etc files, so for all intents and purposes if you're coding crypto in Java you're going to use a KeyStore.

Keytool is a tool that comes with Java that works with KeyStores - it can create KeyStores and manipulate keys and certificates inside them. It can also create keys and sign certificates. So it is both a key generation and a KeyStore-file-administration tool.

OpenSSL works with standard formats (PEM/CER/CRT/PKCS/etc) but does not manipulate KeyStore files. It is possible to generate a key and/or certificate with OpenSSL, and then import that key/cert into a KeyStore using keytool, but you can't put the key/cert into the KeyStore directly using OpenSSL.

(OpenSSL also has a wider array of functionality than keytool - performing symmetric encryption, acting as an SSL network client and server, handling more formats. It just doesn't happen to speak KeyStore.)

Improve this answer
8

Both OpenSSL and keytool have the same purpose: generating/storing keys and certificate(s) (chaines). The thing is that Java can only work with certificates/keys contained within its keystore (JKS). Those certificates and keys are generated using the keytool library, not by using openssl.

As you rightly pointed out, keytool will always need a keystore in order to store the certificates and keys it has generated, where this is not the case for openssl. Do note that OpenSSL can also be used to create a similar container, namely PKCS12 (.p12). This is a password protected container containing keys and certificates (just like Java's keystore). However, it's not compatible with Java... You'd need to convert the .p12 container to .jks before your Java application will be able to work on the certificates.

Improve this answer
1
  • 4
    Java>=6 does handle PKCS12 as a keystore format. Some JCE applications only support the JKS format, in which case keytool can convert PKCS12 to JKS; see the manual or help message for -importkeystore or stackoverflow.com/questions/906402/… . It can also convert JKS to PKCS12 if you need that, see the first Related link (#3779) Commented Sep 2, 2015 at 6:56
0

(The Most Common Java Keytool Keystore Commands)

Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password.

Whereas OpenSSL generates first RSA Private Key (1024 bit RSA key which is encrypted using 3DES and stored in a PEM format so that it is readable as ASCII text). After that, the certificate (CSR) is created

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.