Specifications


Full specifications for KeyStore Explorer, including supported algorithms, key sizes and file formats, are included below.

KeyStores

KeyStore Explorer supports the management of the following KeyStore types:

Type Description
JKS Java KeyStore. Oracle's KeyStore format.
JCEKS Java Cryptography Extension KeyStore. More secure version of JKS.
PKCS #12 Public-Key Cryptography Standards #12 KeyStore. RSA's KeyStore format.
BKS Bouncy Castle KeyStore. Bouncy Castle's version of JKS.
BKS-V1 Bouncy Castle KeyStore (older version).
UBER Bouncy Castle UBER KeyStore. More secure version of BKS.
BCFKS Bouncy Castle FIPS KeyStore (uses FIPS compliant algorithms PBDKF2, SHA-512 and AES CCM).

Key Pairs

KeyStore Explorer supports RSA, DSA and EC Key Pairs. It is capable of generating such Key Pairs with the following key sizes and signature algorithms:

Key Pair Algorithm Key Size (bits) Signature Algorithm
DSA 512 - 1024 SHA-1 with DSA
SHA-224 with DSA
SHA-256 with DSA
SHA-384 with DSA
SHA-512 with DSA
RSA 512 - 16384 MD2 with RSA
MD5 with RSA
RIPEMD-128 with RSA
RIPEMD-160 with RSA
RIPEMD-256 with RSA
SHA-1 with RSA
SHA-224 with RSA
SHA-256 with RSA
SHA-384 with RSA *
SHA-512 with RSA **
SHA-1 with RSA and MGF1
SHA-224 with RSA and MGF1
SHA-256 with RSA and MGF1
SHA-384 with RSA and MGF1 *
SHA-512 with RSA and MGF1 **
Key Pair Algorithm Curve Set Curves ***
EC NIST B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521
SEC secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
ANSI X9.62 prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1
Brainpool brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1
Edwards curves Ed25519, Ed448

* - Requires an RSA key size of at least 624 bits

** - Requires an RSA key size of at least 752 bits

*** - Availability of curves depends on the keystore type.

Certificates and CRLs

KeyStore Explorer supports Version 1 and Version 3 X.509 certificates as well as CRLs. In addition for Version 3 Certificates and CRLs it supports the display of a wide range of extensions.

Certificate Signing Requests (CSR)

KeyStore Explorer supports the generation and signing of the following CSR types:

Type Description
PKCS #10 Public-Key Cryptography Standards #10 CSR, RSA's CSR format.
SPKAC Signed Public Key and Challenge (SPKAC), Netscape's CSR format.

X.509 Extensions

KeyStore Explorer supports the display of the full set of extensions specified in RFC 5280 (Certificate and CRL Profile). In addition most of the certificate extensions are available for addition to generated certificates and signed CSRs.

Extension Name Extension OID View Add to Certificates / CSRs
Entrust Version Information 1.2.840.113533.7.65.0 X  
Authority Information Access 1.3.6.1.5.5.7.1.1 X X
Subject Information Access 1.3.6.1.5.5.7.1.11 X X
Subject Directory Attributes 2.5.29.9 X
Subject Key Identifier 2.5.29.14 X X
Key Usage 2.5.29.15 X X
Private Key Usage Period 2.5.29.16 X X
Subject Alternative Name 2.5.29.17 X X
Issuer Alternative Name 2.5.29.18 X X
Basic Constraints 2.5.29.19 X X
CRL Number 2.5.29.20 X X
Reason Code 2.5.29.21 X N/A
Hold Instruction Code 2.5.29.23 X N/A
Invalidity Date 2.5.29.24 X N/A
Delta CRL Indicator 2.5.29.27 X N/A
Issuing Distribution Point 2.5.29.28 X N/A
Certificate Issuer 2.5.29.29 X N/A
Name Constraints 2.5.29.30 X X
CRL Distribution Points 2.5.29.31 X X
Certificate Policies 2.5.29.32 X X
Policy Mappings 2.5.29.33 X X
Authority Key Identifier 2.5.29.35 X X
Policy Constraints 2.5.29.36 X X
Extended Key Usage 2.5.29.37 X X
Freshest CRL 2.5.29.46 X
Inhibit Any Policy 2.5.29.54 X X

Key Pair Import and Export

KeyStore Explorer supports the following formats for the import and export of Key Pair entries.

Format Private Part Public Part
PKCS #12 X X
PKCS #8 DER * X  
PKCS #8 PEM * X  
PVK X  
OpenSSL DER ** X  
OpenSSL PEM ** X  
X.509 DER   X
X.509 PEM   X
PKCS #7 DER   X
PKCS #7 PEM   X
PKI Path   X
SPC   X

* - Where PKCS #8 is encrypted KeyStore Explorer supports the following PBE algorithms:

PBE Algorithm
SHA-1 and 40 bit RC4
SHA-1 and 128 bit RC4
SHA-1 and 2 key DESede
SHA-1 and 3 key DESede
SHA-1 and 40 bit RC2
SHA-1 and 128 bit RC2

** - Where OpenSSL is encrypted KeyStore Explorer supports the following PBE algorithms:

PBE Algorithm
PBE with DES CBC
PBE with DESede CBC
PBE with 128 bit AES CBC
PBE with 192 bit AES CBC
PBE with 256 bit AES CBC

Trusted Certificate Import and Export

KeyStore Explorer supports the following formats for the import and export of Trusted Certificate entries:

Format
X.509 DER
X.509 PEM
PKCS #7 DER
PKCS #7 PEM
PKI Path
SPC

Public Key Export

KeyStore Explorer can export the public keys of Key Pair and Trusted Certificate entries in OpenSSL (SubjectPublicKeyInfo) format.

Digital Signatures

KeyStore Explorer supports the digital signing of CSRs, JARs and MIDlets using the following signature algorithms:

Signature Subject Signature Algorithms
CSR MD2 with RSA
MD5 with RSA
RIPEMD-128 with RSA
RIPEMD-160 with RSA
RIPEMD-256 with RSA
SHA-1 with RSA
SHA-224 with RSA
SHA-256 with RSA
SHA-384 with RSA *
SHA-512 with RSA **
SHA-1 with DSA
SHA-224 with DSA
SHA-256 with DSA
SHA-384 with DSA
SHA-512 with DSA
JAR MD2 with RSA
MD5 with RSA
SHA-1 with RSA
SHA-1 with DSA
MIDlet SHA-1 with RSA

* - Requires a signing RSA key size of at least 624 bits

** - Requires a signing RSA key size of at least 752 bit