OpenSSL to Keytool Conversion tips

From ConShell
Revision as of 14:55, 20 September 2007 by Fostermarkd (talk | contribs) (→‎See Also)
Jump to navigation Jump to search


Every so often I hear of someone who needs to convert their openssl-generated certificate and key (typically in PEM or DER format) into a Java Secure Socket Extension (JSSE) keystore. This process is complicated, but it can be done. Here are a few links that may help.

OpenSSL generated certificates and keys are encoded in PEM format by default. This format is base64-encoded. The other type used is DER which is binary-encoded.

Method #1: PKCS12Import

This method converts the certificate & key into a PKCS12 file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format.

First, convert your certificate and key into a pkcs12 file. 

openssl pkcs12 -export -out keystore.pkcs12 -in example.crt -inkey example.key

PKCS12Import is part of the Jetty HTTP Server API. Read about it here. You will want to download the jetty 6.1.3 package from here.

After download, unzip it into a folder alongside your keystore.pkcs12 file.

Note that I had to run it a little differently from what is presented in the example... 

java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
Enter input keystore passphrase: foo
Enter output keystore passphrase: foo
Alias 0: 1
Adding key for alias 1

You may want import the CA certificate (ca.crt) as well. The reasons for doing this are varied and could use further explanation. 

keytool -import -keystore keystore.jks -import -trustcacerts -file ca.crt
keytool -list -v -keystore keystore.jks

This will result in two entries, one is a chained PrivateKeyEntry and the other a trustedCertEntry.

You only need -trustcacerts if the ca.crt is for an Intermediate CA chained back to a public CA such as Verisign.

Method #2: Jakarta Tomcat recipe

See The Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO

The section Preparing the Keystore describes using the openssl command to run to convert a key+cert+cacert into a read-only PKCS12 keystore. Because it is read-only by the JSSE, thus functionality is reduced. Case in point... 

keytool error: java.io.IOException: PKCS 12 storing not implemented

Method #3: Yellowcat Keytool IUI

Link This web-based java application to let you import a keypair and certificate to export as a keystore (JKS or JCEKS format).

Method #4: Bouncy Castle

You might want to check out The Legion of the Bouncy Castle for an alternate Java Cryptography Extension (JCE) provider that will handle the standard PEM/DER formats (as opposed to the proprietary JKS format).

Method #5: KeyMan / iKeyMan

Another option to consider is KeyMan from IBM Alphaworks. This tool is like keytool on steroids in that it supports additional keystore formats, cryptographic token devices, and can manipulate the windows certificate store. Closely related is a GUI interface called iKeyman that ships with IBM's WebSphere Application server if you happen to have that. (Note: Community edition might be your low-cost/free choice here). iKeyman can import ".arm" files which are PEM encoded certificates in disguise. Depending on which version you use, it can manipulate .kdb and .jks files. The .jks are ( to my knowledge) a variation of the keystore format, but not the native JSSE type.

Find out more about KeyMan and WebSphere.

See Also


Retrieved from "https://conshell.net/wiki/index.php?title=OpenSSL_to_Keytool_Conversion_tips&oldid=3528"