The Keystore Manager tool is a repository of security certificates, either authorization certificates or public key certificates, plus corresponding private keys.

The gool of this tool is provide applications a secure way to handle user keys and certificates without the need to expose the password. To do that, the Keystore Manager keeps the keystore password securized making only available upon application request to be used in the cryptographic library.

The tool can be accessed by clicking the keystore tool icon on the applications bar:

Keystore is a key and certificate management tool that is used to manipulate Java Keystores. A Keystore is a container for authorization certificates or public key certificates and authentication. Its entries are protected by a keystore password. A keystore entry is identified by an alias, and it consists of keys and certificates that form a trust chain.

There are various different types of KeyStore:

• JKS Java KeyStore: Oracle's KeyStore format.
• JCEKS Java Cryptography Extension KeyStore: More secure version of JKS.
• PKCS #12: Public-Key Cryptography Standards #12 KeyStore. RSA's KeyStore format
• BKS Bouncy Castle KeyStore: Bouncy Castle's version of JKS
• BKS-V1: Older and incompatible version of Bouncy Castle KeyStore.
• UBER Bouncy Castle UBER KeyStore: More secure version of BKS

Keystores may have different types of entries. The two most applicable entry types for keytool include:

• Key entries: each holds very sensitive cryptographic key information, which is stored in a protected format to prevent unauthorized access. Typically, a key stored in this type of entry is a secret key, or a private key accompanied by the certificate "chain" for the corresponding public key.
• Trusted certificate entries: each contains a single public key certificate belonging to another party. It is called a "trusted certificate" because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the "subject" (owner) of the certificate.

Each entry in a KeyStore is identified by a different alias or entry name. Entries also store their last modified date/time.

Key Pair entries are also password protected. A password is required to access the private key part of a Key Pair entry.

A Key Pair contains a private key and its associated certificate chain. Key Pairs can be used to digitally sign objects.

As the private key part of the Key Pair should remain secret, Key Pair entries are normally protected by a password.

To access the private key the entry must be unlocked by supplying the correct password.

If a Key Pair entry is unlocked once it does not need to be unlocked again. A Key Pair entry may be unlocked explicitly or as part of an operation that requires the private key.

A Key Pair must be unlocked to utilize it for operations such as digital signing or to view or export the private key.

A certificate (also known as a public-key certificate) is a digitally signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

Public Keys

These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures.

Digitally Signed

If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entity's private key.

Identity

A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an Email address to an X.509 Distinguished Name.

Signature

A signature is computed over some data using the private key of an entity (the signer, which in the case of a certificate is also known as the issuer).

Private Keys

These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems (also referred to as "public key crypto systems"). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures.

Entity

An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.

To know more about certificates and their terminology visit this link

You can read more about Keystore in:

• KeyStore Explorer
• Keystore terminology

When you access the Keystore Manager you will see the list of your existing keystore files. You can either select one to inspect or proceed to create a or import a new one.

In the home page you will find the keystores that you belong or that you are the owner.

At the top right corner of the table you will find two buttons:

• Import: It allows to import a Keystore to Keystore Manager
• Create: It allows to create a new Keystore to Keystore Manager

The keystores are displayed as a table with the following columns:

• Id: Unique identifier of keystore.
• Name: Keystore name.
• Description: A small description to talk about the use of this particular keystore.
• Type: Keystore type. It can be one of this opntions: JKS, JCEKS, PKCS #12, BKS and UBER
• Ssize: Keystore size.
• Start date: The active start date of this keystore
• End date: The expiration date for this keystore
• Status: Keystore status, Active or Unactive
• Lock Status: Locked or Unlocked for Keystore

The Keystore page is divided by boxes for create a inuitive UI.

The main elements of the interface are described in the following sections:

In the toolbar you will find the following elements:

• Bredcrumb: Element for navigational. It allows to keep track and maintain awareness of the locations inside Keystore Manager.
• Keystore name: It displays the keystore name that you are in.

• Actions: Basic operations like modify, change password, download and create entries can be found in one of this buttons.

  

In the overview section can be found the keystore type, the descripition and the avaliability date.

The entries contained within the currently active KeyStore are displayed as a table with the following columns:

• Type: Key Pair is represented with a key icon, Certificate is represented with a document icon.
• Lock Status: Locked or Unlocked for Key Pair entries.
• Certificate Expiry Status: Unexpired or Expired for Trusted Certificate and Key Pair entries.
• Entry Name: Entry's alias name
• Algorithm: Entry's key algorithm
• Key size: Entry's size
• Certificate Expiry not before: Entry's certificate start date.
• Certificate Expiry: Entry's certificate expiry date and time.
• Last Modified: Entry's last modification date and time.
• Actions: Entry's actions

Entry information

Operations specific to a KeyStore entry can be accessed selecting the specific entry in the table and selecting the required operation from the top right buttons.

The options available in the pop-up menu differ depending on the KeyStore entry type.

For example, Trusted Certificate entries can be examined, deleted or renamed. Key Pair entries can additionally have their passwords set, be used to generate CSRs, etc. Key entries can be deleted.

Table of list of users that can access to this keystore and perform operations.

In this section you will find how to add new users, Share Keystore

Table that stores each modifications related to the keystore and entries.

List of advanced options. It contains the delete button.

In this section you will find how to delete a keystore, Delete Keystore

To create a new KeyStore:

1. From the home page, click on Create

2. A stepper dialog will appear. Add the keystore name, password and an optional description.

   

3. Select the desired KeyStore Type using the slider:

   • JKS Java KeyStore.
   • JCEKS Java Cryptography Extension KeyStore.
   • PKCS #12 Public-Key Cryptography Standards #12 KeyStore.
   • BKS Bouncy Castle KeyStore.
   • BKS-V1 Bouncy Castle KeyStore version 1.
   • UBER Bouncy Castle UBER KeyStore.
   

4. Share the Keystore with others.

   

5. Check that the provided information is correct.

   
6. Press the Create button.
7. The new KeyStore will appear in the home page.

To import an existing KeyStore:

1. From the home page, at the top right corner, click the button Import.

   

2. The import dialog will apear.

   1. In the file input, chose your Keystore file.
   2. The alias field will be automatically filled base on the keystore file name. You can change it if you want.
   3. In the password field you need to provide the password of the keystore.
   
3. The imported KeyStore will appear in the home page.

This section will talk about how to manage a keystore and de common actions:

• Create and Import Keystore Entries
• Manage entries and certificates
• Modify and delete a Keystore
• Share Keystore
• Lock and unlock Keystore

This section covers the actions that are related to generating key pairs and certificates, and importing certificates.

To generate a Key Pair:

1. From the Keystore page toolbar, click on actions and choose Generate Key Pair

   

2. The Generate Key Pair dialog will be displayed. Enter the alias for the new Key Pair entry and password, then press the Next button.

   

3. Select an Algorithm and a Key Size and press the OK button.

   You can chose one of the following algorithms:

   • RSA: An RSA key pair includes a private and a public key. The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.
   • DSA: A DSA key pair also includes a private and a public key. The DSA private key is used to generate digital signatures, and the DSA public key is used to verify digital signatures.
   • EC: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
   

4. Select a Version and Signature Algorithm and enter a Validity Period, Serial Number and Name.

   
5. The new Key Pair entry will appear in the KeyStore Entries table.

A Trusted Certificate contains a single certificate. It is called a "trusted certificate" because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the "subject" (owner) of the certificate. The issuer of the certificate vouches for this, by signing the certificate.

To import a Trusted Certificate:

1. From the Keystore page toolbar, click on actions and choose Import Tursted Certificate.

   

2. Select the Trusted Certificate that you want to import and provida an alias.

   
3. The imported Trusted Certificate entry will appear in the KeyStore Entries table.

To import a Key Pair:

1. From the Keystore page toolbar, click on actions and choose Import key pair.

   

2. The Import Key Pair dialog will appear.

   

3. Select the coresponding cryptography format.

   The following formats will require to import the private key and certificate: PKCS8, PVK and OpenSSL.

   
4. Enter the alias for the new Key Pair entry.
5. Enter the password with which to protect the new Key Pair entry.
6. The new Key Pair entry will appear in the KeyStore Entries table.

To view a Key Pair's certificate chain:

1. Click on the Key Pair entry in the KeyStore Entries table.
2. The Certificate Details will appear under keystore entries table

To view a Key Pair's private key:

1. Click on the Key Pair entry in the KeyStore Entries table.

2. Select Private Key Details

   

3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.

   

4. The Private Key Details will appear.

   

To view a Key Pair's public key:

1. Click on the Key Pair entry in the KeyStore Entries table.

2. Select Public Key Details

   

3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.

   

4. The Public Key Details will appear.

   

To export a Key Pair:

1. Select the Key Pair from Keystore Entris table.

2. Click on Actions button menu and select Export Certificate Chain:

   
3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.
4. The Export Key Pair dialog will displayed.
5. Use radio buttons to choose between export as PKCS #12 or as a PEM.
6. If you chose PKCS #12 format, enter an password to protect the exported PKCS #12 file.
7. Press the Export button to commence the export.

To export a Key Pair's certificate chain:

1. Select the Key Pair from Keystore Entris table.

2. Click on Actions button menu and select Export Certificate Chain:

   
3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.
4. Export certificate chain dialog will apear.
5. Use the Export Length radio buttons to choose whether the Entire Chain of certificates should be exported or the Head Only. The X.509 export format is not available when the entire chain is to be exported.

6. Select an Export Format. The options available are:

   • X.509 ITU-T standard for public key infrastructure.
   • PKCS #7 RSA public key cryptography standard.
   • PKI Path Certification path.
   • SPC Software Publisher Certificate, Microsoft's certificate format.
7. Check the PEM checkbox if the exported certificate is to be PEM encoded. PEM encoding is not available for PKI Path and SPC format exports.
8. Press the Export button to commence the export.

To export Key Pair's Public key:

1. Select the Key Pair from Keystore Entris table.

2. Click on Actions button menu and select Export Public Key:

   
3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.
4. The export will start automatically and it will be downloaded.

To export Key Pair's Private key:

1. Select the Key Pair from Keystore Entris table.

2. Click on Actions button menu and select Export Private Key:

   
3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the Unlock button.

4. The Export Private Key Type dialog will appear.

   

There are three methods to export a private key:

• Export a Key Pair's private key as PKCS #8
• Export a Key Pair's private key as PVK
• Export a Key Pair's private key as OpenSSL

To export a Key Pair's private key as PKCS #8

1. Select the PKCS #8 radio button.
2. If the exported PKCS #8 private key file is to be unencrypted then uncheck the Encrypt check box.
3. Check the PEM checkbox if the exported private key is to be PEM encoded.

4. Alternatively if the PKCS #8 private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:

   • PBE with SHA-1 and 2 key DESede
   • PBE with SHA-1 and 3 key DESede
   • PBE with SHA-1 and 40 bit RC2
   • PBE with SHA-1 and 128 bit RC2
   • PBE with SHA-1 and 40 bit RC4
   • PBE with SHA-1 and 128 bit RC4
5. Enter the encrptation password.
6. Press the Export button to commence the export.

To export a Key Pair's private key as PVK:

1. Select the PVK radio button.
2. Select a Key Type of Exchange or Signature.
3. If the exported PVK private key file is to be unencrypted then uncheck the Encrypt check box.
4. Alternatively if the PVK private key file is to be encrypted select an Encryption Strength (Strong or Weak) and enter an Encryption Password.
5. Press the Export button to commence the export.

To export a Key Pair's private key as OpenSSL:

1. Select the OpenSSL radio button and press the OK button.
2. If the exported OpenSSL private key file is to be unencrypted then uncheck the Encrypt check box.

3. Alternatively if the OpenSSL private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:

   • PBE with DES CBC
   • PBE with DESede CBC
   • PBE with 128 bit AES CBC
   • PBE with 192 bit AES CBC
   • PBE with 256 bit AES CBC
4. PEM option will be always selected since a private key must be PEM encoded in OpenSSL format.
5. Press the Export button to commence the export.

To change a Key Pair password:

1. Click on the key pair in the KeyStore Entries table.
2. The button Modify will be activated.

3. From the Modify button will show a dropdown list wit the following options:

   
4. Click on Set password option.

5. A Password dialog will apear with a text field.

   

To view a Trusted Certificate:

1. Click on the Trusted Certificate entry in the KeyStore Entries table.

2. It will desplay automatically the Certificate Details.

   

To export a Trusted Certificate's public key:

1. Click on the Trusted Certificate entry in the KeyStore Entries table.
2. The button Actions will be activated. From the dropdown list select the only option Export Public Key

To rename a entry:

1. Click on the entry in the KeyStore Entries table.
2. The button Modify will be activated.

3. From the Modify button will show a dropdown list wit the following options:

   
4. Click on Rename option.
5. A Rename entry dialog will apear with a text field. Enter the desire name and click Update.

To delete a entry:

1. Click on the bin button of the entry that you want to delete, in the KeyStore Entries table.

To modify the information or password of a Keystore:

1. Go inside the Keystore that you want to modify.

2. From Keystore Page, at the top right corner, you will find a Modify button.

   Configuration
   1. If you want to change the configuration, press the Configuration button.

   2. A dialog will appear for modify the name and descripion of it.

      
   Password
   1. If you want to modify the password, press the Password button.

   2. A dialog will appear for modify the password. It will ask for the current password and the new one.

      

At the bottom of the page, inside the expansion panel Advanced options, you will find a button for delete the Keystore.

For add more users in a keystore:

1. Go inside the Keystore that you want to add the user.

2. At the bottom of the Keystore page you will find a section dedicated for users.

   

If you want to lock or unlock a keystore you need to go to home page.

Each row of the table contains a button to change the state (lock or unlock). When you want to unlock the keystore, it will ask you to enter the password.

This password will be stored safely in a table to avoid asking it every time and it will be deleted when you lock the keystore.

You can use the KeyStore Explorer to keep user or company certificates in a secure common repository.

But the main use of the tool is to provide a way to manage cryptographic signatures without exposing user keystore and certificate passwords to programmers. The items in the KeyStore Explorer tool will be accessible by Ax JavaScript functions which will allow reading the keystore properties or using their entries to sign documents.

Please check the documentation about the available Ax JavaScript methods in the following document: Using user KeyStores

PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers. Below are some examples of different files in PEM format.

-----BEGIN CERTIFICATE-----
MIICmTCCAYECBF/h2ZgwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGc2FtcGxl
MB4XDTIxMTIyMTIzMDAwMFoXDTIxMTIyMTIzMDAwMFowETEPMA0GA1UEAwwGc2Ft
cGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3xaMi3KGAzjzKHn
0AyMLdOgK87fIvyP7oKb2B36HjQBKfFY427aSc38k7qVi0sRQr2Gf6RgJCJZLM02
HcR0cUwS59/1V519zoDHKu2wUKNKVxsdrEQ0UA5ebtO0C9+efH45cjvq+zG+SNNk
rsqiqTBrDZDB82Swf1AsX7yknbJKDFLyNw2ODOJeLgasQe6nPy7c5qD6XwEIorQb
zNghDKafDQXD5yhDxVAC93mqvllkSlORycyWu7NaiMVaNjev8wgqsvMqtWvZU0Dh
n8X2DWG4kwEYiAqKi7bNi6oCCN9wztzdBRvhjxMsxjY92bW88S9Tm6DcI9TryFwB
QXiVEwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAI49iOcfxD59bq2Ztx0b5PICpG
iCLPvU/SkShPCmz8Zo27wPJvGXtUKy1D+iEIRDFR5tgbmrwcp4fwkE0AwWmz/+Tc
4sVh6Ml56i+g8vC7Rv6jvycBfNUM2tbtQfu50HDxalkZKzdqTeTl38Kbk8WknEux
9OVdkXab9trt8H8wyrSBu9txyhR+KMcALw/Hb5ivQs7Mt2XXrGuCI6ZHuRPGxBTZ
f8jIhiIp6fl/MT5ZNipllYralBIgqFOomBSFi/o3WpooDOPfBGIoQ+cL8Zf1qY4v
yJlId8ygKcYzVcm8yuPhAH6N6PzJa4Whz6pTnMwFCcCEqeJNOdoWNAQW6JaK
-----END CERTIFICATE-----

Above is the example of a CSR (certificate signing request) in PEM format. You can see that PEM has the characteristics of containing a header, the body (which consists mainly of code) and footer.

The header and footer is what identifies the type of file, however be aware that not all PEM files necessarily need them.

Other types of header and footer :

For CSR certificate:                
-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- 
For RSA:
-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- 
For certificate PEM format:
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----