Summary

Deprecate the default -keyalg value for -genkeypair and -genseckey commands of keytool, so that if user has not explicitly specified one there will be a warning.

Problem

The current default -keyalg value is "DSA" for -genkeypair and "DES" for -genseckey. Both are legacy algorithms that are not used in modern security related protocols.

Solution

Deprecate the default -keyalg value for these two commands and recommend user to explicitly specify one. Cryptography is evolving all the time and it was probably a mistake that we chose a default -keyalg value when keytool was created. Also, not having a default -keyalg value makes the user specify what they want, perhaps learning about certificates and making an educated choice.

We plan to remove the default value in a future release.

Specification

For keytool -genkeypair, if no -keyalg is specified, the following warning will be shown:

Warning: No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.

For keytool -genseckey, the "DES" algorithm name is shown instead.

For both commands, no matter if -keyalg is specified or not, after the key is successfully created, there will be an informational text showing what kind of key is created, including the key algorithm and signature algorithm (if relevant). For example:

Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days for: CN=X

For the keytool.html document, remove the "-keyalg" item in the default value box of the "Examples of Option Values" section.