Summary

PKI defines the necessary roles, formats and standards for making public key cryptography useable. It defines the roles and responsibilities of subject, issuer, Certification Authority, Relying Party, and their place within PKI. It also defines different digital documents exchanged among these entities, their structure and the purpose they served. These include X.509 certificates, certification paths, CSRs and CRLs. Another kind of digital entities that we came across include keystore, truststore and certificate repository.

The Java platform has rich support for PKI. It includes APIs and libraries to handle PKI entities such as certificates, certification paths, CRLs, keystores, certificate repositories and perform operations such as loading and saving digital certificates and CRLs, accessing their components, and building certification paths. However, the bundled tools, such as keytool, are quite limited in performing these operations. One particular activity, issuing signed certificates, is not supported at all, either by the API or the tools.

JSTK utilities certtool and reptool provide a number of PKI-related capabilities, augmenting the tools available with the Java platform. They come in handy while working with certificates and other PKI components.

The Java certification path API is quite powerful but difficult to use. It is expected that the actual uses of this API will grow as more complex PKI architectures become prevalent and so does the need to perform complex validations.

PKI has found practical application in a number of real life situations. These include secure e-mail exchange, secure e-commerce over SSL, code signing, software license enforcement, contract signing, and so on.