KeyStores

KeyStore Explorer can be used to create, edit and save KeyStore files. A KeyStore is a storage mechanism for cryptographic tokens. Such tokens are known as entries. KeyStore entries can be one of the following types:
  • Trusted Certificate Contains a single public key certificate.
  • Key Pair Holds a private key and its associated chain of one or more certificates.
  • Key Contains a single cryptographic key.
Each entry in a KeyStore is identified by a different alias or entry name. Entries also store their last modified date/time.

KeyStores are password protected. The password is required to load the KeyStore and a password will be requested when saving a KeyStore for the first time.

Key Pair entries are also password protected. A password is required to access the private key part of a Key Pair entry.

There are various different types of KeyStore supported by KeyStore Explorer:

  • JKS Java KeyStore. Oracle's KeyStore format.
  • JCEKS Java Cryptography Extension KeyStore. More secure version of JKS.
  • PKCS #12 Public-Key Cryptography Standards #12 KeyStore. RSA's KeyStore format.
  • BKS Bouncy Castle KeyStore. Bouncy Castle's version of JKS.
  • BKS-V1 Older and incompatible version of Bouncy Castle KeyStore.
  • UBER Bouncy Castle UBER KeyStore. More secure version of BKS.
All of the KeyStores operate identically when managed with KeyStore Explorer with the exception of PKCS #12 KeyStores. Unlike other KeyStore types, PKCS #12 KeyStores do not store the last modified date and time of entries. When viewing a PKCS #12 KeyStore the Last Modified column will always be blank.

Create a New KeyStore

To create a new KeyStore:
  1. From the File menu, choose New. Alternatively click on the New tool bar button:     
  2. The New KeyStore Type dialog is displayed. Select the desired KeyStore Type using the radio buttons:
    • JKS Java KeyStore.
    • JCEKS Java Cryptography Extension KeyStore.
    • PKCS #12 Public-Key Cryptography Standards #12 KeyStore.
    • BKS Bouncy Castle KeyStore.
    • BKS-V1 Bouncy Castle KeyStore version 1.
    • UBER Bouncy Castle UBER KeyStore.
  3. Press the OK button.
  4. The new KeyStore will appear as an additional Untitled tab.

Open an Existing KeyStore

To open an existing KeyStore:
  1. From the File menu, choose Open. Alternatively click on the Open tool bar button:     
  2. The Open KeyStore dialog will appear.
  3. Select the drive and folder where the KeyStore file is stored.
  4. Click on the required KeyStore file or type the filename into the File Name text box.
  5. Click on the Open button.
  6. The Unlock KeyStore dialog will appear.
  7. Type in the KeyStore's password and press the OK button.
  8. The opened KeyStore will appear as an additional tab.
Note: KeyStore Explorer supports five KeyStore types: JKS, JCEKS, PKCS #12, BKS and UBER. Attempting to open KeyStore files of any other type will result in an error.

Open the Default KeyStore

To open the default KeyStore:
  1. From the File menu, choose Open Special and from the sub-menu Open Default.
  2. If the default KeyStore exists the Unlock KeyStore dialog will appear.
  3. Type in the KeyStore's password and press the OK button.
  4. The default KeyStore will appear as an additional tab.
  5. Alternatively if the default KeyStore does not exist:
    1. A dialog will appear asking if you want to create it.
    2. Answering Yes causes the New KeyStore Type dialog to be displayed. Select the desired KeyStore Type using the radio buttons.
    3. Press the OK button.
    4. The Set KeyStore Password dialog is displayed.
    5. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
    6. The new default KeyStore will appear as an additional tab.
Note: KeyStore Explorer supports five KeyStore types: JKS, JCEKS, PKCS #12, BKS and UBER. Attempting to open KeyStore files of any other type will result in an error.

Open the CA Certificates KeyStore

To open the CA Certificates KeyStore:
  1. From the File menu, choose Open Special and from the sub-menu Open CA Certificates.
  2. If the CA Certificates KeyStore exists the Unlock KeyStore dialog will appear.
  3. Type in the KeyStore's password and press the OK button.
  4. The CA Certificates KeyStore will appear as an additional tab.
  5. Alternatively if the CA Certificates KeyStore does not exist:
    1. A dialog will appear asking if you want to create it.
    2. Answering Yes causes the New KeyStore Type dialog to be displayed. Select the desired KeyStore Type using the radio buttons.
    3. Press the OK button.
    4. The Set KeyStore Password dialog is displayed.
    5. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
    6. The new CA Certificates KeyStore will appear as an additional tab.
Note: KeyStore Explorer supports five KeyStore types: JKS, JCEKS, PKCS #12, BKS and UBER. Attempting to open KeyStore files of any other type will result in an error.

Open a PKCS#11 KeyStore

PKCS#11 is a standard that defines an API for accessing cryptographic devices. In Java the SunPKCS11 provider wraps the PKCS#11 API and transforms it into the keystore API.

To open a PKCS#11 KeyStore:

  1. From the File menu, choose Open Special and from the sub-menu Open PKCS#11.
  2. The Open PKCS#11 dialog will appear. There are two ways to use a PKCS#11 library in KSE:
    1. If the SunPKCS11 provider has already been added to the Java Security properties file (this is described in detail in the Java PKCS#11 Reference Guide and also often in the documentation of the cryptographic device), then you can then simply select it in this dialog.
    2. Alternatively, KSE can register the SunPKCS11 provider itself, if you provide the path to the PKCS#11 library and the right slot index.

    Press the OK button when you have selected one of the two methods.

  3. Type in the KeyStore's password and press the OK button.
  4. The PKCS#11 KeyStore will appear as an additional tab.

Note that because PKCS#11 libraries are native code you have to make sure that both the JRE and the PKCS#11 library are either 32 or 64 bit.

Open the Windows User KeyStore

Since Java 6 the SunMSCAPI provider is part of the JRE, enabling software written in Java to access the native cryptographic services and key containers of the Windows platform.

In KeyStore Explorer you can open the "Windows-MY" KeyStore, which contains the user's personal certificates and associated private keys.

To open the Windows-MY KeyStore:

  1. From the File menu, choose Open Special and from the sub-menu Open Windows-MY.
  2. The Windows-MY KeyStore will appear as an additional tab.

Note that due to restrictions of the SunMSCAPI provider not all features are available, that would be available for other keystore types.

Close a KeyStore

To close a KeyStore:
  1. Select the required KeyStore by clicking on its tab.
  2. From the File menu, choose Close.
  3. If the KeyStore does not have unsaved changes then it will be closed immediately.
  4. If the KeyStore contains unsaved changes:
    1. A dialog will appear asking if you want to save it.
    2. Answering No closes the KeyStore losing the unsaved changes.
    3. Alternatively answering Yes saves the KeyStore prior to closing:
      1. If you have yet to set a password for the Untitled KeyStore then the Set KeyStore Password dialog is displayed.
      2. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
      3. The Save KeyStore As dialog is displayed.
      4. Select the drive and folder where the KeyStore file is to be saved.
      5. Type the filename into the File Name text box.
      6. Click on the Save button.

Close All KeyStores

To close all KeyStores:
  1. From the File menu, choose Close All.
  2. Each open KeyStore will be closed in turn:
    1. If the KeyStore does not have unsaved changes then it will be closed immediately.
    2. If the KeyStore contains unsaved changes:
      1. A dialog will appear asking if you want to save it.
      2. Answering No closes the KeyStore losing the unsaved changes.
      3. Alternatively answering Yes saves the KeyStore prior to closing:
        1. If you have yet to set a password for the Untitled KeyStore then the Set KeyStore Password dialog is displayed.
        2. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
        3. The Save KeyStore As dialog is displayed.
        4. Select the drive and folder where the KeyStore file is to be saved.
        5. Type the filename into the File Name text box.
        6. Click on the Save button.

Save a KeyStore

To save a KeyStore:
  1. Select the required KeyStore by clicking on its tab.
  2. From the File menu, choose Save. Alternatively click on the Save tool bar button:     
  3. If you have yet to set a password for the KeyStore then the Set KeyStore Password dialog is displayed.
  4. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
  5. If the KeyStore is not Untitled then it will be saved at this point.
  6. Otherwise the Save KeyStore As dialog is displayed.
  7. Select the drive and folder where the KeyStore file is to be saved.
  8. Type the filename into the File Name text box.
  9. Click on the Save button.

Save a KeyStore with a New Name

To save a KeyStore with a new name:
  1. Select the required KeyStore by clicking on its tab.
  2. From the File menu, choose Save As.
  3. If you have yet to set a password for the KeyStore then the Set KeyStore Password dialog is displayed.
  4. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
  5. The Save KeyStore As dialog is displayed.
  6. Select the drive and folder where the KeyStore file is to be saved.
  7. Type the filename into the File Name text box.
  8. Click on the Save button.

Save All KeyStores

To save all KeyStores:
  1. From the File menu, choose Save All.
  2. Each KeyStore with unsaved changes will be saved in turn:
    1. If you have yet to set a password for the KeyStore then the Set KeyStore Password dialog is displayed.
    2. Enter the password with which to protect the KeyStore, confirm it and press the OK button.
    3. If the KeyStore is not Untitled then it will be saved at this point.
    4. Otherwise the Save KeyStore As dialog is displayed.
    5. Select the drive and folder where the KeyStore file is to be saved.
    6. Type the filename into the File Name text box.
    7. Click on the Save button.

Change a KeyStore's Type

To change a KeyStore's type:
  1. Select the required KeyStore by clicking on its tab.
  2. From the Tools menu, choose the Change Type sub-menu.
  3. From this sub-menu you can choose between the following KeyStore types:
    • JKS Java KeyStore.
    • JCEKS Java Cryptography Extension KeyStore.
    • PKCS #12 Public-Key Cryptography Standards #12 KeyStore.
    • BKS Bouncy Castle KeyStore.
    • BKS-V1 Bouncy Castle KeyStore version 1.
    • UBER Bouncy Castle UBER KeyStore.
  4. Choose the menu item corresponding to the required type. Note that the current type will be pre-selected.
  5. The KeyStore type will now be changed.
Notes:
  • If the KeyStore contains Key Pair entries that have not been unlocked then the Unlock Entry dialog will be displayed for each.
  • KeyStore entries of type Key will be lost in the change.

Set a KeyStore's Password

To set a KeyStore's password:
  1. Select the required KeyStore by clicking on its tab.
  2. From the Tools menu, choose Set Password. Alternatively click on the Set Password tool bar button:     
  3. The Set KeyStore Password dialog will be displayed.
  4. Enter the new password with which to protect the KeyStore, confirm it and press the OK button.

View a KeyStore's Properties

To view a KeyStore's properties:
  1. Select the required KeyStore by clicking on its tab.
  2. From the Tools menu, choose Properties. Alternatively click on the Properties tool bar button:
  3. The KeyStore Properties dialog will be displayed.
  4. Optionally copy the properties to the clipboard by pressing the Copy button.
  5. After viewing the properties close the dialog by pressing the OK button.