Import private key and certificate into Java Key Store (JKS)
Apache Tomcat and many other Java applications expect to retrieve SSL/TLS
certificates from a Java Key Store (JKS). Jave Virtual Machines usually come
with
keytool 
to help you create a new key store.
Keytool helps you to:
- create a new JKS with a new private key
- generate a Certificate Signung Request (CSR) for the private key in this JKS
- import a certificate that you received for this CSR into your JKS
Keytool does not let you import an existing private key for which you already have a certificate. So you need to do this yourself, here's how:
Let's assume you have a private key (key.pem) and a certificate (cert.pem), both in PEM format as the file names suggest.
PEM format is 'kind-of-human-readable' and looks like e.g.
-----BEGIN CERTIFICATE----- Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN . . (snip) . 9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk= ----END CERTIFICATE-----
Convert both, the key and the certificate into DER format using
openssl :
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Now comes the tricky bit, you need something to import these files into the JKS. ImportKey will do this for you, get the ImportKey.java (text/x-java-source, 6.6 kB, info) source or the compiled (Java 1.5 !) ImportKey.class (application/octet-stream, 3.3 kB, info) and run it like
user@host:~$ java ImportKey key.der cert.der Using keystore-file : /home/user/keystore.ImportKey One certificate, no chain. Key and certificate stored. Alias:importkey Password:importkey
Now we have a proper JKS containing our private key and certificate in a file called keystore.ImportKey, using 'importkey' as alias and also as password. For any further changes, like changing the password we can use keytool.
this is exactly what I needed, as I have obtained a developer certificate from Symbian, but the cert request gen tool is a Symbian custom app, and thus generates its own private key.
However, the key it generates, does not appear to be in valid PEM format (at least according to openssl that complains about it):
D:\>d:\OpenSSL\bin\openssl pkcs8 -nocrypt -in ibw2.pem -inform PEM -out ibw2.der -outform DER
Enter PEM pass phrase:
Error decrypting key
4236:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1294:
4236:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509_ALG
OR
4236:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=
pkeyalg, Type=PKCS8_PRIV_KEY_INFO
4236:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_oth.c:83:
The key (well, not all of it) is something like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C83F3B63FAD97DA6
TYnfdy/1XQAtAL/R1gVGk1S0DLjXre8BK6fe6tLOzTLIxxczCVQjF9exPqjFypE7
uH9EleWc+7TLHkvN2QLtcG6wXewvHexhcjwjN3MiThrFB29BVDMgHyGf9ZHVUUqs
...
tZJeSwNF0lPJ6/wwwUeyaOJCu0xCSvhMCZ9FBaZgdX+a2s40Kqb/kiQlWPKoNqF6
gAz2xettQCCIV18c7fzHqXeHXics66Tau+3MpG3tN3o6efvJgQU7vw==
-----END RSA PRIVATE KEY-----
I am somewhat stuck in that I can't EXPORT the key from keytool to use in the CSR generator (from Symbian) and I can't import the key/certificate as obtained from Symbian.
Kinda Catch-22....
If you have any suggestions that would be massively appreciated, thanks
Marco
admin@infinitebw.com
int i = 0;
Iterator it = c.iterator();
while (it.hasNext()) {
certs[i] = (Certificate)it.next();
i++;
}
Next, I converted all SSL certs from PEM to DER and cat my cert, intermediate cert, and root cert into certs.der. After that, everything worked great.
Hope this helps anyone working with chained certs
I am not sure if this helps, but try adding -topk8 when converting. Hope this helps.
Barry
THE_NAME=name.dummy.com
export THE_NAME
openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out ${THE_NAME}_key.der -outform DER
openssl x509 -in intermediateCA_cer.pem -inform PEM -out intermediateCA_cer.der -outform DER
openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der -outform DER
cat intermediateCA_cer.der ${THE_NAME}_cer.der > ${THE_NAME}_all_cer.der
javac *.java
java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der
keytool -list
But the keystore ony shows one entry, any ideas why is this happening?
Thanks,
Johann
What I did was:
changed certs = (Certificate[])c.toArray(); (line 147) to
(Certificate[])c.toArray(new Certificate[0]);
Then I ran the following script:
JAVA_HOME=/usr/java/latest
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
THE_NAME=www.dummy.org
export THE_NAME
rm /root/.keystore
rm /usr/share/tomcat5/.keystore
openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out ${THE_NAME}_key.der -outform DER
openssl x509 -in rootCA_cer.pem -inform PEM -out rootCA_cer.der -outform DER
openssl x509 -in intermediateCA_cer.pem -inform PEM -out intermediateCA_cer.der -outform DER
openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der -outform DER
cat ${THE_NAME}_cer.der intermediateCA_cer.der rootCA_cer.der > ${THE_NAME}_all_cer.der
javac *.java
java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der
cp /root/keystore.ImportKey /root/.keystore
cp /root/.keystore /usr/share/tomcat5/.keystore
keytool -keypass changeit -storepass changeit -list