OpenSSL to Keytool Conversion tips: Difference between revisions
Fostermarkd (talk | contribs) m (remove TOC) |
Fostermarkd (talk | contribs) mNo edit summary |
||
| Line 48: | Line 48: | ||
* [[Keytool to OpenSSL Conversion tips]] - to go the other direction! | * [[Keytool to OpenSSL Conversion tips]] - to go the other direction! | ||
* [[Keytool]] | * [[Keytool]] | ||
[[Category:Keytool]] | |||
[[Category:OpenSSL]] | |||
[[Category:PKI]] | |||
{{BADS}} | {{BADS}} | ||
Revision as of 01:56, 20 September 2007
Every so often I hear of someone who needs to convert their openssl-generated
certificate and key (typically in PEM or DER format) into a Java Secure Socket Extension (JSSE) keystore. This process is complicated, but
it can be done. Here are a few links that may help.
OpenSSL generated certificates and keys are encoded in PEM format by default. This format is base64-encoded. The other type used is DER which is binary-encoded.
Method #1: PKCS12Import
First exhibit... PKCS12Import which is part of the Jetty HTTP Server API.
This method converts the certificate & key into a PKCS12 file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format.
Note that I had to run it a little differently from what is presented in the example... java org.mortbay.util.PKCS12Import keystore.pkcs12 keystore.jks Then import the ca.crt as well keytool -import -keystore keystore.jks -import -trustcacerts -file ca.crt keytool -list -v -keystore keystore.jks This will result in two entries, one chained!
Method #2: Jakarta Tomcat recipe
See The Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO
The section Preparing the Keystore describes using the openssl command to run to convert a key+cert+cacert into a read-only PKCS12 keystore. Because it is read-only by the JSSE, thus functionality is reduced. Case in point...
keytool error: java.io.IOException: PKCS 12 storing not implemented
Method #3: Yellowcat Keytool IUI
Link This web-based java application to let you import a keypair and certificate to export as a keystore (JKS or JCEKS format).
Method #4: Bouncy Castle
You might want to check out The Legion of the Bouncy Castle for an alternate Java Cryptography Extension (JCE) provider that will handle the standard PEM/DER formats (as opposed to the proprietary JKS format).
Method #5: KeyMan / iKeyMan
Another option to consider is KeyMan from IBM Alphaworks. This tool is like keytool on steroids in that it supports additional keystore formats, cryptographic token devices, and can manipulate the windows certificate store. Closely related is a GUI interface called iKeyman that ships with IBM's WebSphere Application server if you happen to have that. (Note: Community edition might be your low-cost/free choice here). iKeyman can import ".arm" files which are PEM encoded certificates in disguise. Depending on which version you use, it can manipulate .kdb and .jks files. The .jks are ( to my knowledge) a variation of the keystore format, but not the native JSSE type.
Find out more about KeyMan and WebSphere.
See Also
- Keytool to OpenSSL Conversion tips - to go the other direction!
- Keytool