Key Pairs

A Key Pair contains a private key and its associated certificate chain. Key Pairs can be used to digitally sign objects such as Java applications. Key Pair entries are represented in KeyStore Explorer by the following icon:     

As the private key part of the Key Pair should remain secret, Key Pair entries are normally protected by a password. In KeyStore Explorer such entries are described as being locked and have a closed padlock displayed against them:     

To access the private key the entry must be unlocked (see next chapter) by supplying the correct password. If an entry is successfully unlocked then an open padlock is displayed against it:     

If a Key Pair entry is unlocked once during a KeyStore Explorer session it does not need to be unlocked again. A Key Pair entry may be unlocked explicitly or as part of an operation that requires the private key.

A Key Pair must be unlocked to utilize it for operations such as digital signing or to view or export the private key.

Unlock a Key Pair

To unlock a Key Pair:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Unlock from the pop-up menu.
  2. The Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Key Pair entry's lock status will be changed to unlocked in the KeyStore Entries table.

View a Key Pair's Certificate Chain

To view a Key Pair's certificate chain:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Certificate Chain Details. Alternatively, double-click the Key Pair entry.
  2. The Certificate Details dialog will appear. After viewing the details close the dialog by pressing the OK button.

View a Key Pair's Private Key

To view a Key Pair's private key:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Private Key Details.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Private Key Details dialog will appear. After viewing the details close the dialog by pressing the OK button.

View a Key Pair's Public Key

To view a Key Pair's public key:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Public Key Details.
  2. The Public Key Details dialog will appear. After viewing the details close the dialog by pressing the OK button.

Generate a Key Pair

To generate a Key Pair:
  1. From the Tools menu, choose Generate Key Pair. Alternatively click on the Generate Key Pair tool bar button:     
  2. The Generate Key Pair dialog will be displayed. Select an Algorithm and a Key Size and press the OK button.
  3. The Generating Key Pair dialog will be displayed and will remain visible until Key Pair generation has completed. For larger key sizes this may be quite some time.
  4. The Generate Key Pair Certificate dialog will be displayed.
  5. Select a Version and Signature Algorithm and enter a Validity Period, Serial Number and Name.
  6. Optionally, for a version 3 certificate, add certificate extensions by clicking on the Add Extensions button.
  7. Press the OK button.
  8. The New Key Pair Entry Alias dialog will be displayed.
  9. Enter the alias for the new Key Pair entry and press the OK button.
  10. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  11. The new Key Pair entry will appear in the KeyStore Entries table.

Generate a CSR

To generate a CSR for a Key Pair:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Generate CSR from the pop-up menu.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Generate CSR dialog is displayed. Select a Format and Signature Algorithm and enter a Challenge.
  4. For PKCS#10 format you can optionally enter a company name (which becomes an "unstructuredName" attribute in the request) and/or add the extensions from the certificate to the request. The latter is useful for SSL certificates with SubjectAlternativeName extensions.
  5. Use the Browse button to select a CSR File.
  6. Press the OK button to commence generation and produce the CSR.

Import a CA Reply

To import a CA Reply into a Key Pair:
  1. Select the drive and folder where the CA Reply file is stored.
  2. Click on the required CA Reply file or type the filename into the File Name text box.
  3. Click on the Import button.
  4. If the Import CA Reply Trust Check is enabled and the CA Reply file contains a single certificate:
    • If KeyStore Explorer can establish a trust path between the certificate and an existing self-signed Trusted Certificate in your KeyStore or the Authority Certificates then the import will continue. Otherwise it will fail at this point.
  5. Alternatively if the Import CA Reply Trust Check is enabled and the CA Reply file contains a chain of certificates:
    1. KeyStore Explorer will attempt to match the reply's root CA to an existing Trusted Certificate in your KeyStore or the Authority Certificates.
    2. If it cannot then the Certificate Details dialog will appear displaying the details of the reply's root CA certificate for you to verify.
    3. After viewing the details close the dialog by pressing the OK button.
    4. A further dialog will appear asking if you wish accept the certificate.
    5. Press the Yes button if you wish to trust the certificate and import the CA Reply and No if you do not. If you reply No the import will fail at this point.
  6. The Key Pair entry will be updated to reflect the content of the CA Reply.

Get a Key Pair Signed by a CA (Certificate Authority)

To get a Key Pair signed by a CA:
  1. First create a new KeyStore.
  2. Either import an existing Key Pair into the KeyStore or generate a new Key Pair in the KeyStore.
  3. Next generate a CSR (Certificate Signing Request) file from the Key Pair.
  4. Send the CSR file to a CA for signing. Each CA has different procedures for signing certificates and will charge a fee. Check the CA's web site for details.
  5. The CA will send back a CA Reply. This will most likely take the form of a file with the extension p7r or cer.
  6. Import the CA Reply into the original Key Pair.
  7. The Key Pair has now been signed by the CA. View the Key Pair's certificate chain. Your certificate, at the end of the chain, will contain the CA's details in the issuer field.
  8. Finally save the KeyStore.

Append to Certificate Chain

To append a certificate to the end of a Key Pair's Certificate Chain:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Edit Certificate Chain sub-menu from the pop-up menu and from there choose Append Certificate.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Append Certificate dialog will appear.
  4. Select the drive and folder where the certificate file to be appended is stored.
  5. Click on the required certificate file or type the filename into the File Name text box.
  6. Click on the Append button.
  7. For the append to succeed, the chosen certificate's private key must have been used to sign the end certificate of the chain. An indication that this is the case is if the chosen certificate's subject is identical to the end certificate's issuer.
  8. If the append is successful the Key Pair entry's certificate chain will be updated to include the appended certificate.

Remove from Certificate Chain

To remove a certificate from the end of a Key Pair's Certificate Chain:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Edit Certificate Chain sub-menu from the pop-up menu and from there choose Remove Certificate.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. For the removal to succeed, certificate chain must contain more than one certificate.
  4. If the removal is successful the Key Pair entry's certificate chain will be updated to remove the end certificate.

Import a Key Pair

A Key Pair can be imported from a variety of source formats.

Import a Key Pair from PKCS #12

To import a Key Pair from PKCS #12:
  1. From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:     
  2. The Import Key Pair Type dialog will appear.
  3. Select the PKCS #12 radio button and press the OK button.
  4. The Import PKCS #12 Key Pair dialog will appear.
  5. Enter the decryption password for the PKCS #12 file into the Decryption Password field.
  6. Use the Browse button to select the PKCS #12 key pair file and the Details button to examine your choice.
  7. If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
  8. The New Key Pair Entry Alias dialog will be displayed.
  9. Enter the alias for the new Key Pair entry and press the OK button.
  10. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  11. The new Key Pair entry will appear in the KeyStore Entries table.

Import a Key Pair from PKCS #8 and Certificates

To import a Key Pair from PKCS #8 and Certificates:
  1. From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:     
  2. The Import Key Pair Type dialog will appear.
  3. Select the PKCS #8 radio button and press the OK button.
  4. The Import PKCS #8 Key Pair dialog will appear.
  5. If the PKCS #8 private key file is unencrypted then uncheck the Encrypted Private Key check box.
  6. Alternatively if the PKCS #8 private key file is encrypted enter the decryption password into the Decryption Password field. The supported PBE encryption algorithms for import are:
    • PBE with SHA-1 and 2 key DESede
    • PBE with SHA-1 and 3 key DESede
    • PBE with SHA-1 and 40 bit RC2
    • PBE with SHA-1 and 128 bit RC2
    • PBE with SHA-1 and 40 bit RC4
    • PBE with SHA-1 and 128 bit RC4
  7. Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
  8. If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
  9. The New Key Pair Entry Alias dialog will be displayed.
  10. Enter the alias for the new Key Pair entry and press the OK button.
  11. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  12. The new Key Pair entry will appear in the KeyStore Entries table.

Import a Key Pair from PVK and Certificates

To import a Key Pair from PVK and Certificates:
  1. From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:     
  2. The Import Key Pair Type dialog will appear.
  3. Select the PVK radio button and press the OK button.
  4. The Import PVK Key Pair dialog will appear.
  5. If the PVK private key file is unencrypted then uncheck the Encrypted Private Key check box.
  6. Alternatively if the PVK private key file is encrypted enter the decryption password into the Decryption Password field.
  7. Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
  8. If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
  9. The New Key Pair Entry Alias dialog will be displayed.
  10. Enter the alias for the new Key Pair entry and press the OK button.
  11. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  12. The new Key Pair entry will appear in the KeyStore Entries table.

Import a Key Pair from OpenSSL and Certificates

To import a Key Pair from OpenSSL and Certificates:
  1. From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:     
  2. The Import Key Pair Type dialog will appear.
  3. Select the OpenSSL radio button and press the OK button.
  4. The Import OpenSSL Key Pair dialog will appear.
  5. If the OpenSSL private key file is unencrypted then uncheck the Encrypted Private Key check box.
  6. Alternatively if the OpenSSL private key file is encrypted enter the decryption password into the Decryption Password field. The supported PBE encryption algorithms for import are:
    • PBE with DES CBC
    • PBE with DESede CBC
    • PBE with 128 bit AES CBC
    • PBE with 192 bit AES CBC
    • PBE with 256 bit AES CBC
  7. Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
  8. If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
  9. The New Key Pair Entry Alias dialog will be displayed.
  10. Enter the alias for the new Key Pair entry and press the OK button.
  11. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  12. The new Key Pair entry will appear in the KeyStore Entries table.

Export a Key Pair

Export a Key Pair as PKCS #12

To export a Key Pair as PKCS #12:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Key Pair.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Export Key Pair dialog is displayed.
  4. Enter an PKCS #12 Password to protect the exported PKCS #12 file with and confirm it.
  5. Use the Browse button to select an Export File.
  6. Press the Export button to commence the export.

Export a Key Pair's Certificate Chain

To export a Key Pair's certificate chain:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Certificate Chain.
  2. The Export Certificate Chain dialog is displayed.
  3. Use the Export Length radio buttons to choose whether the Entire Chain of certificates should be exported or the Head Only. The X.509 export format is not available when the entire chain is to be exported.
  4. Select an Export Format. The options available are:
    • X.509 ITU-T standard for public key infrastructure.
    • PKCS #7 RSA public key cryptography standard.
    • PKI Path Certification path.
    • SPC Software Publisher Certificate, Microsoft's certificate format.
  5. Check the PEM checkbox if the exported certificate is to be PEM encoded. PEM encoding is not available for PKI Path and SPC format exports.
  6. Use the Browse button to select an export file.
  7. Press the Export button to commence the export.

Export a Key Pair's Private Key

Export a Key Pair's Private Key as PKCS #8

To export a Key Pair's private key as PKCS #8:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Export Private Key Type dialog will appear.
  4. Select the PKCS #8 radio button and press the OK button.
  5. The Export Private Key as PKCS #8 dialog is displayed.
  6. If the exported PKCS #8 private key file is to be unencrypted then uncheck the Encrypt check box.
  7. Alternatively if the PKCS #8 private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:
    • PBE with SHA-1 and 2 key DESede
    • PBE with SHA-1 and 3 key DESede
    • PBE with SHA-1 and 40 bit RC2
    • PBE with SHA-1 and 128 bit RC2
    • PBE with SHA-1 and 40 bit RC4
    • PBE with SHA-1 and 128 bit RC4
  8. Check the PEM checkbox if the exported private key is to be PEM encoded.
  9. Use the Browse button to select an export file.
  10. Press the Export button to commence the export.

Export a Key Pair's Private Key as PVK

To export a Key Pair's private key as PVK:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Export Private Key Type dialog will appear.
  4. Select the PVK radio button and press the OK button.
  5. The Export Private Key as PVK dialog is displayed.
  6. Select a Key Type of Exchange or Signature.
  7. If the exported PVK private key file is to be unencrypted then uncheck the Encrypt check box.
  8. Alternatively if the PVK private key file is to be encrypted select an Encryption Strength (Strong or Weak) and enter and confirm an Encryption Password.
  9. Use the Browse button to select an export file.
  10. Press the Export button to commence the export.

Note: DSA private keys are not suitable for the purposes of Exchange. For the PVK export of DSA Key Pairs the Key Type options are disabled and Signature is pre-selected.

Export a Key Pair's Private Key as OpenSSL

To export a Key Pair's private key as OpenSSL:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Export Private Key Type dialog will appear.
  4. Select the OpenSSL radio button and press the OK button.
  5. The Export Private Key as OpenSSL dialog is displayed.
  6. If the exported OpenSSL private key file is to be unencrypted then uncheck the Encrypt check box.
  7. Alternatively if the OpenSSL private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:
    • PBE with DES CBC
    • PBE with DESede CBC
    • PBE with 128 bit AES CBC
    • PBE with 192 bit AES CBC
    • PBE with 256 bit AES CBC
  8. Check the PEM checkbox if the exported private key is to be PEM encoded. When a private key is to be encrypted it must also be PEM encoded.
  9. Use the Browse button to select an export file.
  10. Press the Export button to commence the export.

Export a Key Pair's Public Key as OpenSSL

To export a Key Pair's public key as OpenSSL:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Public Key.
  2. The Export Public Key as OpenSSL dialog is displayed.
  3. Check the PEM checkbox if the exported public key is to be PEM encoded.
  4. Use the Browse button to select an export file.
  5. Press the Export button to commence the export.

Drag Export a Key Pair

To drag export a Key Pair:
  1. Ensure the Key Pair entry is unlocked.
  2. Select the Key Pair entry for dragging by pressing and holding the left mouse button over it in the KeyStore entries table.
  3. Use the mouse to drag the entry to the desired export location. For example: the desktop, a folder or a text editor.
  4. Release the left mouse button over the export location.
  5. The entry will be exported. The export format used depends on the export location:
    • When exporting as a file the export format is PKCS #12. This is applicable when the entry is dragged to the desktop or to a folder.
    • When exporting as text the export is in two parts. The private key is exported as Encrypted PKCS #8 PEM and the certificate chain is exported as PKCS #7 PEM. This is applicable when the entry is dragged to an application that deals with text.
  6. Exports that are password protected inherit the password of the originating Key Pair entry.

Set a Key Pair's Password

To set a Key Pair entry's password:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Set Password from the pop-up menu.
  2. The Set Key Pair Entry Password dialog will appear.
  3. Complete the dialog's fields with the old password, new password and new password confirmation. If the Key Pair Entry is unlocked then the old password field will already be completed.
  4. Press the OK button to confirm the dialog.

Cut and Paste a Key Pair

To cut and paste a Key Pair:
  1. Click on the Key Pair entry to select it.
  2. From the Edit menu, choose Cut. Alternatively click on the Cut tool bar button:     
  3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  4. Select the target KeyStore by clicking on its tab.
  5. From the Edit menu, choose Paste. Alternatively click on the Paste tool bar button:     
  6. The Key Pair entry will appear in the target KeyStore Entries table. The Key Pair entry's password will remain unchanged.
Notes:
  • KeyStore Explorer has an internal clipboard for cut, copy and paste operations called the buffer. Therefore KeyStore entries cannot be cut or copied from KeyStore Explorer to other applications and vice versa.

Copy and Paste a Key Pair

To copy and paste a Key Pair:
  1. Click on the Key Pair entry to select it.
  2. From the Edit menu, choose Copy. Alternatively click on the Copy tool bar button:     
  3. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  4. If copying to a different KeyStore select it by clicking on its tab.
  5. From the Edit menu, choose Paste. Alternatively click on the Paste tool bar button:     
  6. A copy of the Key Pair entry will appear in the target KeyStore Entries table. The Key Pair entry's password will be the same as the original's.
Notes:
  • KeyStore Explorer has an internal clipboard for cut, copy and paste operations called the buffer. Therefore KeyStore entries cannot be cut or copied from KeyStore Explorer to other applications and vice versa.

Delete a Key Pair

To delete a Key Pair:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Delete from the pop-up menu.
  2. The Key Pair entry will be removed from the KeyStore Entries table.

Rename a Key Pair

To rename a Key Pair:
  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Rename from the pop-up menu.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The New Entry Alias dialog will appear.
  4. Enter the new alias into the dialog and acknowledge it by pressing the OK button.
  5. The Key Pair entry will be renamed in the KeyStore Entries table.