Summary
-------
Deprecate the default `-keyalg` value for `-genkeypair` and `-genseckey` commands of keytool, so that if user has not explicitly specified one there will be a warning.
Problem
-------
The current default `-keyalg` value is "DSA" for `-genkeypair` and "DES" for `-genseckey`. Both are legacy algorithms that are not used in modern security related protocols.
Solution
--------
Deprecate the default `-keyalg` value for these two commands and recommend user to explicitly specify one. Cryptography is evolving all the time and it was probably a mistake that we chose a default `-keyalg` value when keytool was created. Also, not having a default `-keyalg` value makes the user specify what they want, perhaps learning about certificates and making an educated choice.
We plan to remove the default value in a future release.
Specification
-------------
For `keytool -genkeypair`, if no `-keyalg` is specified, the following warning will be shown:
>Warning: No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.
For `keytool -genseckey`, the "DES" algorithm name is shown instead.
For both commands, no matter if `-keyalg` is specified or not, after the key is successfully created, there will be an informational text showing what kind of key is created, including the key algorithm and signature algorithm (if relevant). For example:
> Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days
for: CN=X
For the [keytool.html](https://docs.oracle.com/en/java/javase/11/tools/keytool.html) document, remove the "-keyalg" item in the default value box of the "Examples of Option Values" section.