The keytool gives us the ability to create keys, obtain certificates, and so on. Now we’ll turn our attention to using the key management facilities programatically: if you need to create a digital signature, you’ll use the key management API to locate the correct key. Similarly, you may choose to store secret keys for data encryption in the keystore. The key management API allows us to read and write keystores and their entries.

In addition, the implementation of keytool has certain limitations: it cannot create entries that store secret keys, and it is difficult to share the keys in a keytool database among a widely dispersed group of people (like all the employees of XYZ Corporation). We can, however, use the key management API to create a key management system that has whatever features we require.

That framework is the ultimate goal of the following sections. First, however, let’s take a look at the classes that make up the key management API. We begin with the notion of the identity to whom a key belongs. In Java’s key management model, the association between a key and its owner is application-specific, but it is generally modeled on the Principal interface.