Open in app

Sign in

Write

Sign in

Private Public Keys, Key Stores and Certificates

Prashant Bhardwaj
4 min readNov 7, 2024

--

In today’s digital world, security is paramount. Applications and systems must ensure that data remains private, unaltered, and authentic. This guide explores three core concepts that form the backbone of secure digital communication: private and public keys, key stores, and certificates. We’ll walk through what each of these components is, their uses, and how to generate and work with them.

Private and Public Keys: The Foundation of Security

What are Private and Public Keys?

Private and public keys are two parts of a cryptographic key pair used in encryption and authentication:

  • Private Key: A secret key known only to the owner. It is used to decrypt messages or sign data to prove ownership.
  • Public Key: A key that is freely shared. Others use it to encrypt messages for the private key owner or verify data signed by the private key.

Together, these keys enable asymmetric encryption, where data encrypted with the public key can only be decrypted by the private key, and vice versa. This system is fundamental to secure digital communication.

Uses of Private and Public Keys

  • Encryption and Decryption: Only the private key holder can decrypt messages encrypted with the public key, ensuring confidentiality.
  • Digital Signatures: A message signed with a private key can be verified by others using the public key, ensuring authenticity and integrity.

Generating a Key Pair

To generate a key pair, we can use tools like OpenSSL or keytool.

With OpenSSL:

# Generate a private key
openssl genpkey -algorithm RSA -out private_key.pem -aes256

# Extract the public key from the private key
openssl rsa -pubout -in private_key.pem -out public_key.pem

With keytool (Java’s security tool):

# Generate a key pair and store it in a Java Keystore
keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -keystore mykeystore.jks -storepass mypassword

Certificates: Digital Proof of Identity

What is a Certificate?

A certificate is a digital document that links a public key to the identity of an individual or organization. It is typically issued and signed by a trusted Certificate Authority (CA). The certificate includes the following information:

  • Subject: The entity to whom the certificate is issued (e.g., a domain name or organization).
  • Issuer: The CA that issued the certificate.
  • Public Key: The public key linked to the subject.
  • Validity Period: The dates between which the certificate is valid.
  • Signature: A digital signature from the CA, confirming the certificate’s authenticity.

Uses of Certificates

Certificates serve two main purposes:

  1. Authentication: They allow one party to verify the identity of another party, ensuring that they’re communicating with the intended entity.
  2. Secure Communication: Certificates enable TLS/SSL encryption for websites and applications, protecting data exchanged over the internet.

Generating a Certificate Signing Request (CSR)

A CSR is a request to a CA to issue a certificate. It includes the public key and identity information of the requester.

With OpenSSL:

openssl req -new -key private_key.pem -out myrequest.csr

With keytool:

keytool -certreq -alias myalias -keystore mykeystore.jks -file myrequest.csr -storepass mypassword

Obtaining a Certificate

Once the CSR is generated, it can be submitted to a CA (e.g., Let’s Encrypt, DigiCert) for signing. The CA verifies the request and issues a certificate, often in .cer or .crt format.

Example of a Certificate File

Certificates are typically encoded in Base64 within a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- block. This format is known as PEM.

-----BEGIN CERTIFICATE-----
MIIC+zCCAmOgAwIBAgI...
-----END CERTIFICATE-----

Key Stores: Secure Storage for Keys and Certificates

What is a Key Store?

A keystore is a secure repository for storing cryptographic keys and certificates. Java, for instance, uses Java KeyStores (JKS), which can contain:

  • Private Key Entries: Include a private key and the associated certificate chain.
  • Trusted Certificate Entries: Store certificates (public keys only) that the application trusts, such as root or intermediate certificates.

Keystores allow applications to securely manage and access keys and certificates without exposing sensitive data.

Uses of a Key Store

  • Secure Storage: Keystores securely store private keys, protecting them with passwords.
  • Ease of Access: Keystores organize keys and certificates by aliases, allowing applications to retrieve and use them easily.
  • Authentication and Encryption: Keystores enable applications to authenticate using certificates and perform encrypted communication.

Creating and Using a Key Store

With keytool:

Generate a Keystore:

keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -keystore mykeystore.jks -storepass mypassword

Import a Certificate: If you receive a certificate from a CA, you may need to import it into the keystore:

keytool -import -alias mycert -file mycertificate.cer -keystore mykeystore.jks -storepass mypassword

View Keystore Entries:

keytool -list -keystore mykeystore.jks -storepass mypassword

Using Keys and Certificates in Applications

Example Use Case: Secure Communication

Suppose you have a Java application that needs to communicate securely with another service. You would use the private key and certificate from your keystore to perform mutual TLS authentication:

Loading the Keystore in Java:

KeyStore keystore = KeyStore.getInstance("JKS"); 
keystore.load(new FileInputStream("/path/to/mykeystore.jks"), "mypassword".toCharArray());

Accessing the Private Key and Certificate:

PrivateKey privateKey = (PrivateKey) keystore.getKey("myalias", "mypassword".toCharArray()); 
Certificate certificate = keystore.getCertificate("myalias");

Using the Key and Certificate: The application can use the private key to sign requests, authenticate itself, and establish a secure connection.

Storing Keystores Securely

In production, keystores and secrets should be managed securely:

  • Cloud Secret Managers: Use cloud-based tools like AWS Secrets Manager to securely store keystore passwords and retrieve them at runtime.
  • Avoid Hardcoding Passwords: Use environment variables or secret management tools to avoid hardcoding sensitive data.

Summary

  • Private and Public Keys are fundamental for encrypting data and verifying identities.
  • Certificates are digital documents linking a public key to an entity, providing proof of identity and enabling secure communication.
  • Key Stores securely store keys and certificates, making them accessible to applications while maintaining security.

By combining these tools, applications can ensure secure, authenticated, and encrypted communication in a connected digital world. Whether you’re setting up an HTTPS-enabled server, implementing mutual TLS, or protecting application secrets, understanding these core concepts is key to building secure and trustworthy systems.

Ssl Certificate
Private Key
Keytool
Openssl

--

--

Prashant Bhardwaj
Prashant Bhardwaj

Written by Prashant Bhardwaj

4 Followers
4 Following

Masters in Business Administration and in Computer Application 🌐 https://prashantbhardwaj.com

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams