OpenSSL to Keytool Conversion tips: Difference between revisions
Fostermarkd (talk | contribs) m (→See Also) |
|||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 10: | Line 10: | ||
This method converts the certificate & key into a [[wikipedia:PKCS12|PKCS12]] file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format. | This method converts the certificate & key into a [[wikipedia:PKCS12|PKCS12]] file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format. | ||
First, convert your certificate and key into a pkcs12 file. | First, convert your certificate and key into a pkcs12 file. This is a simple example. | ||
openssl pkcs12 -export -out keystore.pkcs12 -in example.crt -inkey example.key | openssl pkcs12 -export -in example.crt -inkey example.key -out keystore.pkcs12 | ||
Here is a more complex example which chains together the CA certificate which signed example.crt. It ensures the certificate chaining will be intact after the JKS conversion. | |||
openssl pkcs12 -export -chain -in example.crt -certfile ca.crt -inkey example.key -out keystore.pkcs12 | |||
PKCS12Import is part of the Jetty HTTP Server API. Read about it [http://www.mortbay.org/apidocs/org/mortbay/jetty/security/PKCS12Import.html here]. You will want to download the jetty 6.1.3 package from [ftp://ftp.mortbay.org/pub/jetty-6.1.x/jetty-6.1.3.zip here]. | PKCS12Import is part of the Jetty HTTP Server API. Read about it [http://www.mortbay.org/apidocs/org/mortbay/jetty/security/PKCS12Import.html here]. You will want to download the jetty 6.1.3 package from [ftp://ftp.mortbay.org/pub/jetty-6.1.x/jetty-6.1.3.zip here]. | ||
After download, unzip it into a folder alongside your keystore.pkcs12 file. | After download, unzip it into a folder alongside your keystore.pkcs12 file generated above. | ||
Note that I had to run it a little differently from what is presented in the | Note that I had to run it a little differently from what is presented in the | ||
example... | example... | ||
java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks | java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks | ||
Enter input keystore passphrase: | Enter input keystore passphrase: secret | ||
Enter output keystore passphrase: | Enter output keystore passphrase: secret | ||
Alias 0: 1 | Alias 0: 1 | ||
Adding key for alias 1 | Adding key for alias 1 | ||
keytool -list -v -keystore keystore.jks | keytool -list -v -keystore keystore.jks | ||
This will result in two entries, one is a chained PrivateKeyEntry and the other a trustedCertEntry. | This will result in two entries, one is a chained PrivateKeyEntry and the other a trustedCertEntry. If you used -chain in the PKCS12 generation, the PrivateKeyEntry should have a certificate chain length of 2 (or more). | ||
You only need -trustcacerts if the ca.crt is for an Intermediate CA chained back to a public CA such as [[wikipedia:Verisign|Verisign]]. | You only need -trustcacerts if the ca.crt is for an Intermediate CA chained back to a public CA such as [[wikipedia:Verisign|Verisign]]. | ||
| Line 60: | Line 61: | ||
* [[OpenSSL Usage tips]] | * [[OpenSSL Usage tips]] | ||
[[Category:Security]] | [[Category:Security]] | ||
[[Category:PKI]] | [[Category:PKI]] | ||
{{BADS}} | {{BADS}} | ||
Latest revision as of 14:58, 7 December 2013
Every so often I hear of someone who needs to convert their openssl-generated
certificate and key (typically in PEM or DER format) into a Java Secure Socket Extension (JSSE) keystore. This process is complicated, but
it can be done. Here are a few links that may help.
OpenSSL generated certificates and keys are encoded in PEM format by default. This format is base64-encoded. The other type used is DER which is binary-encoded.
Method #1: PKCS12Import
This method converts the certificate & key into a PKCS12 file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format.
First, convert your certificate and key into a pkcs12 file. This is a simple example.
openssl pkcs12 -export -in example.crt -inkey example.key -out keystore.pkcs12
Here is a more complex example which chains together the CA certificate which signed example.crt. It ensures the certificate chaining will be intact after the JKS conversion.
openssl pkcs12 -export -chain -in example.crt -certfile ca.crt -inkey example.key -out keystore.pkcs12
PKCS12Import is part of the Jetty HTTP Server API. Read about it here. You will want to download the jetty 6.1.3 package from here.
After download, unzip it into a folder alongside your keystore.pkcs12 file generated above.
Note that I had to run it a little differently from what is presented in the example...
java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks Enter input keystore passphrase: secret Enter output keystore passphrase: secret Alias 0: 1 Adding key for alias 1
keytool -list -v -keystore keystore.jks
This will result in two entries, one is a chained PrivateKeyEntry and the other a trustedCertEntry. If you used -chain in the PKCS12 generation, the PrivateKeyEntry should have a certificate chain length of 2 (or more).
You only need -trustcacerts if the ca.crt is for an Intermediate CA chained back to a public CA such as Verisign.
Method #2: Jakarta Tomcat recipe
See The Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO
The section Preparing the Keystore describes using the openssl command to run to convert a key+cert+cacert into a read-only PKCS12 keystore. Because it is read-only by the JSSE, thus functionality is reduced. Case in point...
keytool error: java.io.IOException: PKCS 12 storing not implemented
Method #3: Yellowcat Keytool IUI
Link This web-based java application to let you import a keypair and certificate to export as a keystore (JKS or JCEKS format).
Method #4: Bouncy Castle
You might want to check out The Legion of the Bouncy Castle for an alternate Java Cryptography Extension (JCE) provider that will handle the standard PEM/DER formats (as opposed to the proprietary JKS format).
Method #5: KeyMan / iKeyMan
Another option to consider is KeyMan from IBM Alphaworks. This tool is like keytool on steroids in that it supports additional keystore formats, cryptographic token devices, and can manipulate the windows certificate store. Closely related is a GUI interface called iKeyman that ships with IBM's WebSphere Application server if you happen to have that. (Note: Community edition might be your low-cost/free choice here). iKeyman can import ".arm" files which are PEM encoded certificates in disguise. Depending on which version you use, it can manipulate .kdb and .jks files. The .jks are ( to my knowledge) a variation of the keystore format, but not the native JSSE type.
Find out more about KeyMan and WebSphere.
See Also
- Keytool to OpenSSL Conversion tips - to go the other direction!
- Keytool
- OpenSSL Usage tips